What's the best practice of handling auth with a custom separate api that Shopify app backend calls

Hi, I am building a Shopify app whose backend will call a custom api endpoint (let's call this EndpointB). EndpointB controls the database that powers the Shopify app we are building. I want to implement EndpointB so that it checks if the consumer is authorized to access the data it's requesting. For example, the admin of a Shopify online store can only access the data of that store in EndpointB's database. This is the first point of auth in the entire pipeline. The second point of auth is between Shopify app frontend and Shopify app backend. This part is more straightforward and is handled by the boilerplate codes provided by Shopify.

Now, my problem is that how should the auth module in EndpointB sync up with the auth of Shopify app frontend to backend? 

Should EndpointB implement its own session token issuance and refresh? If that's the case, the secret used to build the jwt token needs to be passed from EndpointB to Shopify app backend. How should this transfer be done programmatically and securely? And Shopify app backend would need to store the session token somewhere. Is that a good practice? Like for Shopify app backend to use a database to store session token and link the token to a particular user of Shopify.

Another approach is to use api key. In this case EndpointB needs to store all of these api keys for lookup and the Shopify app backend also needs to store the api keys. How can this be done nicely and programmatically? And if multiple stores install the Shopify app, all of the stores will use the same Shopify app backend database. How should these api keys be managed in this manner?

I am quite confused at this point. I would greatly appreciate if someone can shed some light on the best practice to perform proper auth on the separate EndpointB endpoint.

Thanks!