This is how I did it in an application I worked on a year or so ago.
Basically when your user logs into the app you store their credentials in the DB so you can yank them out later when you need to perform actions against their shop. Before you start interfacing with the API you "prepare your session". Since you are working on a specific shops objects you should already have the Shop within the context you are working. Then you just tell the shop object to prepare the session and start talking to the Shopify API.