Kevin,
Yes of course :-) I have a custom redirect being passed on the oAuth endpoint "/admin/oauth/authorize" which exchanges the code and gets the "permanent token". That is saved to dbase and set as a session for immediate use.
In terms of the tutorial found http://docs.shopify.com/api/tutorials/oauth it says I can use code,timestamp,shop to do a Signature Verification. I assumed this is how I will determine Shop Owners are not spoofing other "shop names" for future use. However when I am clicking on the APP Card of the installed app, I am not seeing the "code" param passed again.
What am I doing wrong? :-) what's to stop someone from passing shop=shopname.myshopify.com×tamp=<spoof>&signature=<spoof> then my app will think that shopnameX is looking for it's PERM_TOKEN in the database. Steer me in the correct direction pretty please. I am sure I am doing something incorrect.