Session Token acquisition in non-embedded, public app development?

Sorry, similar questions have been asked before, but I am still confused.

Background

* My app is currently in development.  It will be a public, non-embedded app.

* I have a partner account with a development store up and running for testing.

* The app will only integrate with stores on the Orders page via extension links.

* I used the Shopify app generator to create a basic app, just so I could get it initially added to my partner account.

* I have a website that will be the target of the extension links.

* I have created a landing page at my website to be the target of my Shopify app.

* I know my apiKey and apiSecret from my App on my Shopify Partners page.

Now, when I go to my App on my Shopify Partners account, there is a "Test your app" section.  I select the store, it goes to an authorization page for the store saying my app will want access to Orders (and other things).  I agree and it transfers navigation to my website, just like I expect.

Here's where doesn't act like I expect.  When it navigates to my website, it sends these parameters:

* hmac

* host

* shop

* timestamp

I don't see how my website can authenticate and call the Shopify API using that information.  The docs hint that an additional "code" parameter would be passed, but it's not there.

Questions:

* Is the act of selecting my store for testing supposed to act like a user installed the App from the Shopify App store?  

* Should I be receiving additional information I can use to authenticate with the Shopify API (so I can read orders) from my website?

I sure would appreciate help.  Can you help me understand what is going on?  Anyone have a link to some code or an article that would help me?