Shouldn't u be issuing an access token for that user to access your service