Pairing-Gated API Authorization

External users call group detail APIs before or without proving they were paired via the expected external system, so group authorization logic can be bypassed unless a pairing state tied to identity/system is checked consistently.