In the API, it looks like the user_id is required to do anything useful. To get this user_id, I need to (manually, externally) decode the JWT, and I'm in a sandboxed language that doesn't have the bits to do it easily.