I run a Grapevine REST Server (The current implementation of Grapevine relies on the features exposed by System.Net.HttpListener) in a C# application on a Windows Session (User A), on localhost:8888 for example.
If I leave the user A session open with the executable running and log on to a new User B session, I access my REST server at localhost: 8888.
Can we restrict access to the REST server on the session that started it?
Grapevine uses the built-in HttpListener in .NET, which you can access and configure directly using the Advanced property of the RestServer class.
var server = new Grapevine.Server.RestServer();
var listener = server.Advanced; // This is an HttpListener object
You can configure authentication in any way you could if you were using HttpListener out of the box. A good starting point might be the AuthenticationSchemes property.
If traditional authentication methods don't fit your use case, you might want to try to get the logged in user when your application starts, and then add an event handler on server.Router.BeforeRouting that automatically returns a 401 or 403 if the request isn't from that user. I haven't actually tried it myself, but that's where I would go with it.