[Dublum]

If they're going to insist on binding ID to account, it seems like the simplest way to do it would be just to submit the ID as an additional parameter in the login POST request and associate it as a single transaction, but again, using the ID at all is problematic.

[rwestergren]

I think the best solution is to not trust the client in assigning the perfectFitId. The login POST should be able to determine the perfectFitId for the user after login and maintain a session through oauth or other session management process.