Personally I always:
- get the existing properties for the category from Discourse first
- reduce the result properties down to a known whitelist of properties
- add the permissions
- then make the
PUTrequest
It might be that one or more of the of the properties is required.
The category permissions editor built into Discourse follows a similar process, however it knows exactly what should be sent back without needing a whitelist.
Filtering by a whitelist could be risky if other properties are added (by a new version of Discourse, a plugin, or custom fields), I haven’t checked the Discourse code to see if it removes the property if not set.