Nordstrom Hello Retail question about auth

I’ve been reviewing the Nordstrom Hello Retail project ( as an example of well-built serverless application. Something I don’t see is the need to call data sources across lambdas and I was wondering the best practice.

For example, the photo upload functionality uses twilio to do Auth: which is great. But lets say I needed to have a restriction where certain photographers can’t upload stuff outside specific categories. I would normally call the Photographers DB and get the 'allowedCategories` data. However in this architecture the Photographers DB is ‘managed’ by a different lambda, how should the recieve functionality verify this?