Focuses on API authentication, access scopes, and permission management.
Hello.
Do we need to verify the HMAC during the initial app redirect (installation phase)? If yes, which fields in the initial payload are involved? Also, should we validate the HMAC signature when we receive the OAuth2 request with the authorization code? And, which secret should we use for signing the payload?
Thank you.
Hey @arkadi-kreichma
Verify the installation request? Yep, here's how.
Validate authorization code? Yep, here's how.
Which secret key? The secret key is the `client secret` from the Partner dashboard > Select the app.
Scott | Developer Advocate @ Shopify