This is both an authentication problem, and an authorization problem.   The request (of course) has to come from a properly authenticated subscriber.   But in addition, the incoming request must have been authorized.   For example, add some kind of token, whose contents are random, that must be returned by the client (in so-many minutes, and acceptable just once) with the request.   The server confirms that the token is authentic, issued to this user, and not-yet-used.   The presence of that token-value authorizes the request to be carried out.   The token, issued by the server and with totally unpredictable contents, can’t be faked, and once the server decides it’s been used, can’t be used again.