Convert to XML.

getId will nicely wait until methods will be executed, there is no need to use
serialize, which will commit new transaction.

If API has been called with loggable user, but without Person document (which
shall never happen!) just log this information and return server side error.

Delete is not in API, so implement request instead.

OAuth-2 is used as fallback authentication method in case of not having X509
key/certificate.

Do not create additional request endpoint, as requesting is like creation, so
reuse POST verb on instance endpoint.

Also as rename can be used to garbage collect instance avoid DELETE.

PUT can inform that nothing happens.

OPTIONS is required by web-browser embedded JavaScript calls in order to allow
for CORS.

Accept is used in order to require response type from server, Content-Type is
about data which are going to be send.

Each time request body is sent, client HAVE to set content type.

Client might want to do anything with it, so append responso to such.

Provide request-access-token web section, with forced authorisation (see:
454f340583055d59ba3385786d16a851636e45c4 in erp5 repository) which allow to
grant or deny token which arrived from remote web site.

Depend on erp5_bearer_token in order to reuse common logic.

They shall have maximum one related predecessor.

requestSoftwareInstance requires much less arguments.