U can. But ur APIs should not trust the userId in the URL. They should check that that userId is = to the session userId.