Never trust the input parameters that were sent to the API endpoint. Always assume that the input parameters could have been spoofed.

Always validate the inputs.

If you accept any identifiers that you use to access data (retrieve data from database) or alter the application state (modify data in database), always check that the calling user is authorized to access/alter the resource.