REST vs. legacy stuff with state in session?

We currently use the session to keep track of which client is being worked on, but think our new rest interface should be stateless.

Should I be redesigning our existing stuff to include client_id in URLs where necessary?

Or even go a bit further, and include client_id in every resource, even when not necessary, to keep erroneous implementations from messing with the wrong tenant..? (We do have an auth layer, but accounts will have access to multiple tenants.)