REST API multi-tenant security

Question

I have a question about RESTful APIs and security in a multi-tenant environment.

Imagine you have an endpoint: api/branches/:branchId/accounts/:accountId

Authentication is done through Bearer Tokens (oauth2). Each token includes a set of claims associated to the invoking user. A branchId claim is included in the token, and each user belongs to a single branch.

The security restrictions are the following:

1. The branchId of the GET request should match the one stored on the token claim.
2. accountId should be a valid account inside the branch identified by branchId.

The question is: which of the following solutions is correct?

1. Maintain the endpoint: api/branches/:branchId/accounts/:accountId. And do the required security checks.
2. Change the endpoint to: api/accounts/:accountId, obtain the branchId from the token, and then do the remaining security checks.

The application is meant to be multi-tenant. Each branch is a tenant, and each user may only access the information associated with its single branch. Thanks!

Answer 1

I needed to make a decision fast, so I will be using solution 1. If anybody has an argument against or in favor please join the conversation.

Arguments in favor:

1. I totally agree with this answer: https://stackoverflow.com/a/13764490/2795999, using the full URL allows you to more efficiently decide which data store to connect with, and distribute load accordingly.
2. In addition you can easily implement caching, and logging because the full url is descriptive enough.
3. Independency of security and API. Today I am using OAuth2 but perhaps tomorrow I can send the request signature, and because the URL has all the information to fulfill the request it will work.

Arguments against:

1. Information redundancy: the branchId is on the URL and encrypted on the token.
2. A little more effort to implement.