**Stateless:** Each request must contain all information needed for authentication and authorization. Session state is not maintained server-side (in pure REST). - **Resource-Oriented:** Authorization must be enforced per resource and per method. A user authorized to GET a resource may not be author