My bad, it's a bit of a weird use case. when api receives a request, it'll have the user id & the app id. It need to check if the app is allowed to access the api and it needs to check if the user is not explicitly banned from that API. It only grant access when both are true