Thanks to Nicola Iaorcci I found a solution.
First, I use a custom authentication class for every endpoint.
class MyCreditNoteAuth(TokenAuthBase):
def check_auth(self, token, allowed_roles, resource, method):
account = app.data.driver.db['users'].find_one({'api_access_token': token})
This method fetches the user's account from mongodb and now I have access to his contract ids.
Second, still in the upper method I update the filter of the datasource on each request:
mynotes['datasource']['filter']['contract'] = { '$in': account['contracts'] }
Now the customer sees only his own "notes" on the given endpoint.