This must be determined by your own app’s logic when it receives a request. For example, when my app receives a request I check the shop origin against my database to confirm if I have a valid access token; if I do not, then I will redirect them to the OAuth permission URL.