Request authentication Shopify plus checkout page

Technical Q&A

Topic summary

Topic: Verifying and securing requests from a Shopify Plus checkout page to a custom app server.

Key questions:

  • How can a third-party app server reliably verify that an incoming request originates from a legitimate Shopify website rather than Postman or another unauthorized client?
  • Can data be encrypted on the Shopify checkout page and decrypted on the app server using a shared key?
  • Is there a method to perform secure API (AJAX) calls from the checkout page to a custom app, ensuring the calls are authenticated as originating from Shopify and are valid?

Goal and context:

  • Implement a mobile number validation popup during Shopify Plus checkout.
  • Ensure each request to the Azure-hosted app server includes an encrypted, non-visible parameter that cannot be duplicated using tools like Postman.
  • Use this verification to determine subsequent actions based on legitimacy of the request source.

Status: No solutions or decisions presented yet; the inquiry is open with unanswered implementation details.

Summarized with AI on February 18. AI used: gpt-5.
1

Need a help on few questions
For Shopify checkout Storefront

  1. How does the third-party app server identify if the incoming request is from an authentic shopify website or from [ postman / non authorized site].
  2. Can we encrypt data using some key at Shopify checkout page and decrypt it at app server side?
  3. Is there any way to do secure API calls from Shopify checkout page(majorly AJAX) to my custom app? Here secure means, authentication of API calls(make sure that call is from Shopify website only) and its a valid API call?
    What I am trying to achieve is
    I need to find a way in which request fired from shopify plus checkout page is having a parameter which is encrypted and non visible and cannot be duplicated in postman

I am creating a popup to validate my mobile number, when this request is hit in my app server(azure) I need to confirm if this request is triggered from the (legitimate source) shopify website or through some other Postman app(non legitimate source).

Based on this I need to take further action.