You are right about HMAC. It can be used to verify the request coming from Shopify. However, HMAC has a couple of limitation:
- It is only available in the first request. A single page app might have problem with validating subsequent requests.
- It is in request query param which can be hijacked very easy. You often need to combine with timestamp to invalidate the request.
The new sessionToken is a better option in term of authentication.