How do you design and secure a RESTful API that needs to handle sensitive patient or financial data for Themesoft clients?