How do I make sure that the request my EBS is getting, is genuinely them?

I got it. I just check if user_id exists, and if not, I tell them to grant access.