I think there is a session, as in the request, the user/73 "as the error log that have attached" was created in the registration request.
I think the problem is to allow the user to request this system / user via the API. He could to set permissions that should not have access. The user / register prevents it.