User-474980206 posted
for the best security, the web api should authenticate its callers. the web app should authenticate with a service account or https certificate. once the caller is trusted, you can pass the user id as a header or payload parameter. you might want to use
jwt token if you need to pass roles.