I don’t know Laravel well enough, and I’m not sure exactly what data is passed from your 1st app to your 2nd app. Regardless …
need to change that to jwt session ?
In my opinion, yes.
This would ensure that incoming requests to your 2nd app are coming from Shopify (and not from a malicious attacker).