I don't think APIs in general should have anything to do with authorization, other than passing along a token.
I don't think APIs in general should have anything to do with authorization, other than passing along a token.