I have no noticed the the user param is only invalid if there is an authorization header in the request.