SomethingRequest wouldn't have an ID field so the consumer could never provide one. Then you'd need a separate contract object for updates. A better option might be to secure your API so that consumers can only update what they should have access to.