1. Remote app should be deployed on prod env and we should not allow to access though any URl.

2. If u have the use case to access the remote app in the production than you have to implement separate Authentication.

3. If not, then you can Write Auth logics in Host app and store the tokens and related in local storage or session storage of browser and access it in remote App.