I'm struggling with coming up with a reliable architecture in order to do what I want. Here's my use case. I have standard Shopify Theme, ReCharge API (could be any else) and Shopify Custom App. What I want to achieve is to add basic functionality from the ReCharge Customer Portal to the my shop. The flow is: Shopify -> Custom App -> ReCharge API. The thing is that I set up a Proxy between Theme and Custom App that strips the request from cookies etc. The first part was to secure Custom App from an outside calls which was pretty straightforward using OAuth guides. The problem for now is how I distinguish an authorized user call from any anonymous. The thing is that custom app accepts for now every requests from our shop which means that if someone knows others customer_id they can simply write in a console or with some XSS attack just for example order some things for other customer. Is this even possible to come up with reliable solution here? I thought about making some tokens verifications, I would generate some token on customer login, but it seems that we can't check user credentials using Shopify Admin API.