Hi,
Thanks for the answer! I do have a session with bearer token authentication to my own server which works nicely. But there are anonymous requests to the register and login pages of my app, which ideally I would like to validate especially with the shop parameter passed to these requests. Because when an user registers I take the shop parameter find the Shopify access token which I have previously gotten and saved in the database and map the user to this so called ShopifyAccess (essentially the access token). In this way many users can register in my app for one Shopify store. But I do need to validate this shop parameter coming to my login or register requests and make sure that is matches the current store the user is using my app in, because if someone changes it manually to some other shop, and it turns out that this shop is already registered in my server and has a ShopifyAccess(access token) this user will essentially gain access to someone else's shop. Because Shopify adds not only the shop parameter but also the hmac and timestamp ones to my app url requests (I am using the embeded sdk by the way), I thought I could validate every request, as the documentation says, not only the initial authorization callback. But now I understand that this is not the case, so I will figure out something else.
Thanks for the response, it's been useful!
Best Regards