We've got a use case where we want to restrict the values each developer can submit to our API. Each developer will have a set (1-20) of allowed values for a parameter called 'location'. As each location is a latitude/longitude pair it's very unlikely that two developers would ever have the same location in their sets. I've considered seeing the allowable values in a custom attribute for each developer or app, but perhaps there is a better way. Has anyone got any suggestions?