We are trying to find a way to secure Payments extensions - "Payment URLs" for our Shopify App for these:
These are pointing to internal API endpoints on our end. We need a way to add "x-api-key" header to the requests to secure the calls on our API Gateway from Shopify redirects. How can we do that?
Or do you recommend an alternative way?
How do you secure the above calls from Shopify? There doesn't seem to be a way to add headers to these calls.
Use mTLS: https://shopify.dev/apps/payments/general-transaction-requirements#mtls-configuration