API is using basic authentication and the flow of the user/originator in the apps is important.

We assume in the following list all the calls are returning 200

1. /user/login - Only used as an entrypoint in audit (docs)
2. /user/originators - List of originators connected to the user (docs)
3. /originators/{id}/select - Important call to update the browser_hash and audit the change (docs)

In case the Authorization header is missing the API always return the error code 401.

Authenticated user is allowed to fetch everything under /user/ even if his or her originator is blocked. In that case calling any resources from /originators/ will trigger the state filter and returning the error code 403 and the matching error message object