You placed a simple API over your user store. It's simple - the client provides the user ID, you get it from the database, convert to JSON and done! One more JIRA ticket to close. Congratulations! You just created both a huge technical debt and a security hole.

By tangling the database schema, with the business object and the API layer, you make it very hard to make schema changes. Also, if someone adds the user authentication token to the database, it'll automatically go out to any client.

In this talk, I'll make a claim that you should keep the database, business and API data models separate. Even at the cost of code duplication.