Right, and I assume you've authenticated the user, so any calls to your backend API would have something like cookies to identify the user. In that scenario, wouldn't authorization requests be done as part of your backends business logic?