The webhook handling and multi-tenancy sections are where most Shopify app tutorials fall short, so kudos for covering both. OAuth token refresh is another area that bites developers in production — tokens expire, and if your refresh logic isn't bulletproof, merchants lose access silently. One approach I've used in similar integration projects is queuing webhook payloads before processing them, so you never lose events during traffic spikes. Laravel's job queues make this pretty seamless. Are you using database-per-tenant or shared schema with scoping for the multi-tenancy piece?