@Bennick, if you install an App in a shop, it can provide services as a proxy. So the /a/whatever is just that, a proxy. Shopify sends the requests to the App's endpoint specified which is how this basic example works. So this pattern accesses the customer record via the API and writes a metafield or two.
You could also just use CORS to your own server or lowly JSONP and do the same thing. Six of one half dozen of the other. Of course each has security issues too...