The Users API manages platform accounts in HDB Service. Every user has a role drawn from theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/GianlucaBessone/HDB-Service/llms.txt
Use this file to discover all available pages before exploring further.
UserRole enum (ADMIN, SUPERVISOR, TECHNICIAN, CLIENT_RESPONSIBLE, CLIENT_REQUESTER) which controls what data they can see and what actions they can perform. When a new user is created, the system simultaneously registers them in Supabase Auth and in the local PostgreSQL database via Prisma. The user is created with mustChangePassword: true so they are prompted to choose their own password on first login.
All users endpoints are restricted to ADMIN role, with GET /api/users also accessible to SUPERVISOR. passwordHash is never included in any response.
GET /api/users
Returns all user records. Each record includes the associated client name and the list of plant IDs the user has been granted access to. ThepasswordHash field is never returned.
Required roles: ADMIN, SUPERVISOR
Filter by user role. One of
ADMIN, SUPERVISOR, TECHNICIAN, CLIENT_RESPONSIBLE, or CLIENT_REQUESTER.Filter users by their associated client ID.
Filter by active status. Pass
true for active users only or false for deactivated accounts.User ID (matches the Supabase Auth user UUID).
First name.
Last name (nullable).
Email address.
User role:
ADMIN, SUPERVISOR, TECHNICIAN, CLIENT_RESPONSIBLE, or CLIENT_REQUESTER.Whether the account is active.
Associated client ID (nullable — only set for
CLIENT_RESPONSIBLE and CLIENT_REQUESTER).ISO 8601 account creation timestamp.
Array of objects, each containing a
plantId string. Populated for CLIENT_REQUESTER users; empty for other roles.| Status | Description |
|---|---|
401 | Not authenticated. |
403 | Authenticated user is not ADMIN or SUPERVISOR. |
500 | Internal server error. |
POST /api/users
Creates a new user account. The process involves three steps executed in sequence: (1) verify the email does not already exist in the Prisma database; (2) create the user in Supabase Auth withemail_confirm: true so no verification email is required; (3) create the Prisma user record with a bcrypt-hashed password and mustChangePassword: true. Plant access entries are created in bulk via UserPlantAccess if plantIds is provided.
Required role: ADMIN
Email address. Must be unique across all users.
User’s first name.
User’s last name.
User role. One of
ADMIN, SUPERVISOR, TECHNICIAN, CLIENT_RESPONSIBLE, or CLIENT_REQUESTER.Temporary password. Stored as a bcrypt hash (10 rounds). The user will be prompted to change it on first login.
Required when
role is CLIENT_RESPONSIBLE or CLIENT_REQUESTER. Associates the user with a specific client.Array of plant IDs to grant access to. Applicable for
CLIENT_REQUESTER users. Each entry creates a UserPlantAccess record.User ID (the Supabase Auth UUID is used as the Prisma primary key).
User email address.
First name.
Last name (nullable).
Assigned role.
Always
true on creation.Associated client ID (nullable).
Always
true on creation.ISO 8601 creation timestamp.
The user’s Supabase Auth UUID is reused as the Prisma
User.id, so the two records are always in sync and can be looked up by the same ID.| Status | Description |
|---|---|
400 | email, nombre, role, or password is missing. |
400 | A user with this email already exists in the database. |
400 | Supabase Auth rejected the creation request (e.g., invalid email format). |
401 | Not authenticated. |
403 | Authenticated user is not ADMIN. |
500 | Internal server error. |
PATCH /api/users/[id]
Updates one or more fields on an existing user. Only fields present in the request body are modified; omitted fields are left unchanged. IfplantIds is included, the existing UserPlantAccess records for this user are fully replaced (all deleted and recreated from the new array). If a new password is provided, it is hashed with bcrypt and mustChangePassword is set to true. Relevant changes (name, role, password) are also synced to Supabase Auth metadata.
An ADMIN cannot deactivate their own account (active: false on the currently authenticated user returns 400).
Required role: ADMIN
Updated first name.
Updated last name.
New role. One of
ADMIN, SUPERVISOR, TECHNICIAN, CLIENT_RESPONSIBLE, CLIENT_REQUESTER.New client association. Pass
null to clear.Full replacement list of plant IDs for access control. All previous
UserPlantAccess entries are deleted and replaced with this list.Set to
false to deactivate the account.New password. Will be hashed and will set
mustChangePassword: true.User ID.
Updated first name.
Updated last name (nullable).
Email address (unchanged).
Updated role.
Current active state.
Current client association (nullable).
Current must-change-password flag.
ISO 8601 last-updated timestamp.
| Status | Description |
|---|---|
400 | Attempting to deactivate the currently authenticated user’s own account. |
404 | User not found. |
401 | Not authenticated. |
403 | Authenticated user is not ADMIN. |
500 | Internal server error. |
DELETE /api/users/[id]
Permanently deletes a user account from both the Prisma database and Supabase Auth. AnADMIN cannot delete their own account. This is a hard delete — the record is not soft-deleted.
Required role: ADMIN
Always
true on a successful deletion.| Status | Description |
|---|---|
400 | Attempting to delete the currently authenticated user’s own account. |
401 | Not authenticated. |
403 | Authenticated user is not ADMIN. |
500 | Internal server error. |