Hi @BGilbert thanks for the quick response - not sure if this is answering your question specifically, but I do this:
- Request comes in through my app - validate hostname and hmac validity. If it passes, they can proceed to the actual app
- At that point, during the app session the user can perform certain app actions which will trigger requests to my server side
- In each request payload to my server side, I include their shopOrigin and use this to look up their access token (which I store in a secure db) which I’ll then use to make fetch requests to the Shopify Admin API
- And finally, I’ll send back the API response (usually manipulated with server side business logic)