What information should be sent on body?

I've been reading about microservices and I have some doubts about what's the data that should be sent on the body, and what's the data that should be populated in the server (by means of an id).

For example, imagine that we have a real estate agency, and the domain models are agent, client and house. Imagine that for an agent to submit a deal he has to:

log in into the agency's system with his account
create client's profile in system
fill transaction form with
- client data
- house to be sold
click on submit (this submits the data to the sales service)

Now my question is, if the sales service requires fields like client's first and last name, client's contacts, house's address and so on, should we:

send all the required data from the browser, or just the id of the house and client and the service will handle the rest?
if we have a restriction in the system that says that "you can only sell houses to your clients", how do we guarantee in the sales service that this agent is selling a house to his client (how can I trust the data that comes from the browser)?

Thanks in advance.

Solution

send all the required data from the browser, or just the id of the house and client and the service will handle the rest?

Typically, if the house and client aren't changing in this request, just send their IDs, e.g.

{
  sale: {
    price: "100000.00",
    houseID: 123,
    clientID: 456
  }
}

if we have a restriction in the system that says that "you can only sell houses to your clients", how do we guarantee in the sales service that this agent is selling a house to his client (how can I trust the data that comes from the browser)?

The answer is you can't trust data from the client. If you get an incoming sale request, you have to verify it on the server. Typically you would have guard clauses or pre-filters to check any operation against constraints (along with other stuff like cleansing the data and checking the user's permission).