How to ensure that a request comes from my webextension and login system

I develop an url shortener service: and a webextension for it:
The source code of the webextension is open source and available on github.

I have two main questions :

1 / Today, to know if the request to reduce a link is coming from the site or from the webextension, I use a “origin” parameter in the url. But I think it is somehow not very secure as this is subject to changes by a user if he knows the url (easy to find in the source code). My first question is, do I have a way to ensure at 100% that a request is coming from my webextension.

2 / I want to permit login on my webextension to save links of the webextension user in his URLR. account. What’s the best approach ? Generate a token by user and pass it in the webextension request ? Use a shared cookie ?

I hope that you have understand my questions and that I can have some tracks.

Thank you in advance!

Source: Symfony Questions