Have you checked that the two users each have their own token? And that each request sends the correct token in the Authorization header?