Plus...
Let's back up one level. REST is a stateless protocol.
So when you make a request to a REST endpoint, it doesn't remember who you are when you make another request, even a second later, unless you have a valid token for that web service endpoint that is not expired. And you have to supply that token upon every request you make...
If you want your application to remember who is currently using your application, then you have to control that at the web server tier.