REST vs. legacy stuff with state in session?

We currently use the session to keep track of which client
is being worked on, but think our new rest interface should
be stateless.

Should I be redesigning our existing stuff to include client_id
in URLs where necessary?

Or even go a bit further, and include client_id in every resource,
even when not necessary, to keep erroneous implementations
from messing with the wrong tenant..? (We do have an auth layer,
but accounts will have access to multiple tenants.)