4👍
✅
I would suggest the customerId to be part of the JWT payload (search for jwt claims and how to add custom ones when generating a token).
This way you will be sure that it it is not modified by malicious user.
You can still pass it as query parameter if you want, but you have the option to do a validation, by comparing the query value with the value in the JWT.
Don’t trust the users. If they can change they customerId and manipulate the request, that is a security issue.
Another option is to not pass the customerId at all, but instead after authorizing the user to do a database call and see what is his customerId. I personally would prefer the first option, because you won’t have to do additional database call.
Source:stackexchange.com