Partial resources RFC
From Koha Wiki
There are use cases in which a resource information needs to be publicly accesible, but some bits restricteed to users with specific permissions.
We implement a whitelisting approach for this cases. Publicly accesible attributes are marked with a local attribute 'x-public', which is used in the authentication chain. Following the principle of Least Surprise, the endpoint will return the publicly accessible portion of the objects by default (so it will be the expected behaviour for API consumers).
Consumers that require protected attributes will be rejected if they don't have enough permissions.