Hello, Slicer [Mirkwood], you wrote: AK>> So authorization is necessary. But it is necessary to check all the same. You say that the client at you has access to it API to a call, but has no right to change certain fields. SM> authorization a little the general has with authenticity of the client, it checks authenticity of the user. . Now understood, about what you. This task is very tightly intersected with questions of protection of programs from copying and other DRM/kopirajterskimi questions. Generally this task is not solvable yet. On occasion, type of mobile devices, normal race of algorithms is watched - defenders of a copyright invent new methods how to be convinced that the program is launched on not modified insertion, programmers invent new methods how to leave defenders of a copyright with a nose. This difficult and expensive pleasure. I do not know, what there the latest news at present, but Netflix for me quite normally works on mine with the modified insertion so I so understand successes yet very much. Anyway, check of the rights on server side is strictly recommended is very simple and obvious action to which simply does not have sense to neglect. SM> well or if you suggest to apply to check of authenticity of the client any additional authorization - too it would be interesting to learn, how you approached to it, that the malefactor could not pick up for example client secret. I not the expert in the cryptography, therefore I did not invent new methods of authentification. For those services over which I work, we use normal OAuth2 through Azure Active Directory for acknowledgement of the person of the user. From this that it was necessary there - RBAC. How roles in Azure Active Directory are arranged, does not allow to use normally them in the applications working with users from different Active Directory (multitenant services). I.e. here if in one domain there is a role "doctor", I cannot is simple so to deliver access for this role on any REST API. Therefore as in other domain the same role can be named "healthcare professional" or "senior medical staff" or still as. It is necessary to enter the essence - service which displays logins of users on a dial-up of the roles which are available for them in our system. I.e. authentification we take from the domain, checking authenticity of the signed token. And authorization (access check) we do.