Must have module when you want to build fully decouple with access check. It provides access checks for any entity operations in the JSON response. Based on JSONAPI:Extras.

Usage: add jsonapi_access=create,update,delete to your regular jsonapi request and you will see "meta[access]" for general response and for each resource inside it.