Even if our REST API seems quite complete, a critical component is missing in our implementation: any client in fact is currently able to retrieve all the notes stored in the Datastore without providing authentication and regardless of being or not the owner of those notes. Moreover, until we don't provide authentication for our REST API, creating a note will be impossible because we need an authenticated user to create an entity in the note_create() method of the NotesApi class. We can easily fill this gap in our requirements because Cloud Endpoints provides support to protect all or part of our API with the OAuth2 authorization framework.

The first step to provide protection to our API is to specify which clients ...