For example, I have a table in database that contains students. When I create API to access this resource /students, even with authorization the student (if they know the url) can access to other student’s private information by just changing id in request.

How can I solve this?