Clarification about first installation request

[KozakRoman]

We make first shopify installation app request like this
http://shop-name.myshopify.com/admin/api/auth?api_key=xyz from install.php file.
After this we make second request https://shop-name.myshopify.com/admin/oauth/authorize?client_id=$api_key$scopes$redirect_uri
from oauth.php file.
Why do we need this first request? Could we just start installation process without this first request?

[myjanky]

@KozakRoman the first auth compares your api key and shared secret to shopify to determine if it is a valid request
Then Oauth sends request back to shopify for permissions to use such as "read_content" (aka scopes) etc...
Please see this for the steps on auth. https://help.shopify.com/api/guides/authentication/oauth

[KozakRoman]

Thank you for your quick reply. Could we just start installation process without this first request(valid request)?

[myjanky]

Kind of. You could set up a private app and bypass the oauth completely.
https://github.com/phpish/shopify_private_app-skeleton

Keep in mind that a private app has full access to all scopes and then some. So, be careful how you handle the api key and secret. If these are exposed, your shop could be compromised by a knowledgeable attacker.