Extending CRM user functionality

[NotionCommotion]

I am working on a REST application which is intended to be used with various CMS’s (Drupal, WordPress, etc).  Each CMS installation passes a unique GUID in the header to identify the organization so that the organization's individual data is utilized.  I’ve since realized I need some basic way to identify the individual user for at least two reasons:

1. The API provides a help desk where individual users can ask questions and get responses (not real time).
2. There is some need for user access/privileges (I suppose this could be CMS side if necessary).

Instead of inputting users both into the API as well as the CMS, the organization should be responsible for entry only through the CMS.  They will add users as appropriate for the given CMS and then another page on the CMS will list all the CMS users and provide a way to set whether they are authorized to access the API as well as their access level.

The remaining of this post is kind of what I am thinking, but I am open to change.

1. When the CMS gives a user access to the API for the first time, a cURL request is made to the API and a unique key is returned and the CMS will save it as being associated with the given user.  Note sure if this should be an incrementing number on a per organization basis or another GUID, and if a GUID whether it should be passed along with the organization’s GUID or replace it.  Also, not positive, but thinking that user data (name, email, etc) should not be given to the API as it might be difficult to keep them synchronized.
2. If a user’s access level is changed on the CMS or their access is removed, the user’s GUID is passed to the API and the work is done on the API.  If the user is removed, they are not deleted from the API’s database but just tagged as deleted.
3. Before performing step 1, the CMS should first perform a query requesting all users who are tagged as deleted and is responsible to determine whether a new user should be added or an existing user should be reinstated.  Alternatively, I can make the API responsible for doing so, but then it would need to have stored various data to identify whether the user was previously instated which might result in the synchronization issue I described in step 1.

Any comments, potential pitfalls, or recommendations would be appreciated.