A client-side boolean can be changed by the user. Sensitive API access must be enforced on the server.