REST vs. legacy stuff with state in session?

Rails
1

We currently use the session to keep track of which client
is being worked on, but think our new rest interface should
be stateless.

Should I be redesigning our existing stuff to include client_id
in URLs where necessary?

Or even go a bit further, and include client_id in every resource,
even when not necessary, to keep erroneous implementations
from messing with the wrong tenant…? (We do have an auth layer,
but accounts will have access to multiple tenants.)

Not very elegant code sample:

GET /customers

GET /customers.xml

def index
client_id = nil
respond_to do |format|
format.html { client_id = current_client.id }
format.xml { client_id = params[:client_id] }
end
@customers = Customer.find(:all, :include => [:account],
:conditions => [“client_id = ?”, client_id])

respond_to do |format|
  format.html # index.rhtml
  format.xml  { render :xml => @customers.to_xml(:include =>

[:account]) }
end
end

Thanks,
Isak