@HunkyBill Agreed, I’d prefer to use the shop id (just to be certain). But We can’t depend on callbacks for data security. Callbacks fail, endpoints can be unavailable, etc. FWIK I think that JWT only gives us the user id for the active user and the shop url/domain. That probably isn’t the best information to authenticate using JWT. Does that makes sense?