Computer might not have access to it.

Use common responseSupport which adds all expected headers and supports
anonymous access, so OPTIONS can be simplified.

Convert to XML.

getId will nicely wait until methods will be executed, there is no need to use
serialize, which will commit new transaction.

If API has been called with loggable user, but without Person document (which
shall never happen!) just log this information and return server side error.

Delete is not in API, so implement request instead.

OAuth-2 is used as fallback authentication method in case of not having X509
key/certificate.

Do not create additional request endpoint, as requesting is like creation, so
reuse POST verb on instance endpoint.

Also as rename can be used to garbage collect instance avoid DELETE.