What is the best way to authorize calls to the shopify Admin API within a webhook handler

Retired Boards Appdev Custom Storefronts

Topic summary

A developer is building a webhook handler in AWS Lambda for their Shopify app, using EventBridge to receive webhooks. When a customer creates an order, the webhook triggers and needs to make authenticated requests to Shopify’s Admin API using the Node.js @shopify/shopify-api library.

Core Question:
How to create a valid session object from webhook event details to authenticate Admin API calls?

Example Use Case:
The developer wants to fetch and update product data (e.g., finding a product by ID and changing its title) from within the webhook handler.

Status:
The question remains open with no responses yet. The developer is seeking best practices for handling authentication in this serverless webhook context.

Summarized with AI on November 23. AI used: claude-sonnet-4-5-20250929.
1

I am creating a webhook handler (within aws lambda) for my shopify app.

Note: I’m using eventbridge to receive webhooks, but i believe the concept is the same.

When a customer creates a new order this webhook will be called, and from within my webhook handler i would like to make an authenticated request to the Nodejs @shopify/shopify-api Admin API.

My question is, what is the best way to do this?

For example, how do i use the details from the webhook event to create a session which i can then use to make requests to the Admin API?

eg;

const product = await shopify.rest.Product.find({session, id: '7504536535062'});

product.title = 'A new title';

await product.save({
update: true,
});