API and Multiple Accounts

We are working on a mobile app supplement to our jumpstart powered rails app and are struggling on authentication issues.

(1) What is the best way to deal with API requests in order to: (a) determine which account to assign the user's request to (in case they belong to multiple accounts), and (b) maintain security so that they do not attempt to modify an account they do not belong to?

(2) Should our mobile app include an "account_id" with each request? Otherwise how can we know which account the request is related to?

(3) So long as the API controller inherits from the base API controller, will Jumpstart ensure that the user cannot modify an account that does not belong to them?
You’re not receiving notifications from this thread.
© 2021 GoRails, LLC