Nordstrom Hello Retail question about auth

I’ve been reviewing the Nordstrom Hello Retail project (https://github.com/Nordstrom/hello-retail/) as an example of well-built serverless application. Something I don’t see is the need to call data sources across lambdas and I was wondering the best practice.

For example, the photo upload functionality uses twilio to do Auth: https://github.com/Nordstrom/hello-retail/blob/master/product-photos/3.receive/receive.js which is great. But lets say I needed to have a restriction where certain photographers can’t upload stuff outside specific categories. I would normally call the Photographers DB and get the 'allowedCategories` data. However in this architecture the Photographers DB is ‘managed’ by a different lambda, how should the recieve functionality verify this?