How to make secure HTTP requests from a Shopify App page

Shopify Apps

Topic summary

A developer is building their first Shopify app and has successfully implemented HMAC verification for the main app page (loaded in an iframe within Shopify admin). This allows them to verify requests from Shopify and retrieve store-specific information using stored tokens.

Current Challenge:
The developer needs guidance on securely making additional API calls from within the authenticated app page to their own server. Specific scenarios include:

  • Navigating to other pages
  • Making API calls to their backend server
  • Ensuring requests originate from their app and cannot be spoofed

Questions Raised:

  • What is the recommended/best practice approach for securing these subsequent API calls?
  • Should they create a custom signing method (similar to HMAC)?
  • Should they implement a token system generated after initial HMAC authentication?
  • Are they missing an existing standard approach?

The discussion remains open, awaiting community guidance on security best practices for ongoing API communication within Shopify apps.

Summarized with AI on November 14. AI used: claude-sonnet-4-5-20250929.
1

I’m developing a new app (which is also my first) for the Shopify store. In the main page of my app (e.g. https://admin.shopify.com/store/[a-test-store]/apps/[my-app]) I’ve created a page according to the documented examples.

This page (opened in an IFrame within the Shopify admin) uses the HMAC so I can verify that it’s being opened by Shopify, and to get the current store. Using this information I can get information relevant to that store (using a previously stored token).

My question is, what’s the recommended way to make additional API calls from within that page to my server. For example, navigate to another page, or make an API call to my server. I want to make sure that the calls made by my app aren’t spoofed.

Is there an existing best practice? Should I create my own signing method (similar to the HMAC)? Create a token system (generated once I authenticated the first page using it’s HMAC)?

Am I missing something altogether and this isn’t necessary?

Thanks.