Is it ok to return extra information in http
HTTP OK or CREATED
I see no problem with that. If the client needs that information, then the resource will have to include it as a property. The client can
PUT without it (NULL), or the server will ignore it anyway (since this is only set server-side), but it will have to reflect it afterwards.
You can always secure your API if you're going to expose it publicly (OAuth, API keys etc).