Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ItsJhonAlex/Ecommerce/llms.txt

Use this file to discover all available pages before exploring further.

The admin users API exposes a safe, read-optimized view of the customer and staff base, as well as the ability to promote or demote user roles. Password hashes, session tokens, and other sensitive auth fields are never included in responses — only the seven safe columns selected server-side. Role management allows you to onboard new staff, revoke access, and promote trusted customers to admin, all from a single endpoint.
All endpoints in this section require the admin or staff role. Requests without a valid session return 401; requests with insufficient role return 403.

Endpoints

List Users


GET /api/v1/admin/users
Returns all users with only non-sensitive fields, optionally filtered by role. The response does not include passwords, tokens, or any other auth credentials. Query Parameters
role
string
Filter by user role. One of: customer, staff, admin. Omit to return users of all roles.
Response 200
{
  "users": [
    {
      "id": "usr-11223344-aabb-ccdd-eeff-001122334455",
      "name": "Ana Rodríguez",
      "email": "ana@example.com",
      "role": "customer",
      "emailVerified": true,
      "image": "https://cdn.example.com/avatars/ana.jpg",
      "createdAt": "2024-01-15T09:00:00.000Z"
    },
    {
      "id": "usr-aabbccdd-eeff-0011-2233-445566778899",
      "name": "Carlos Méndez",
      "email": "carlos@avanzarintimeshop.com",
      "role": "staff",
      "emailVerified": true,
      "image": null,
      "createdAt": "2024-02-01T08:00:00.000Z"
    }
  ]
}

Update User Role


PATCH /api/v1/admin/users/:id/role
Promotes or demotes a user’s role. The authenticated admin’s own ID is compared to the target :id — if they match and the new role is not admin, the request is rejected to prevent accidental self-lockout. Request Body
role
string
required
The new role to assign. One of: customer, staff, admin.
  • customer — standard shopper, no admin panel access
  • staff — can access all admin routes including user management
  • admin — full access, including the ability to manage other admins
Example Request
curl -X PATCH https://api.avanzarintimeshop.com/api/v1/admin/users/usr-11223344-aabb-ccdd-eeff-001122334455/role \
  -H "Content-Type: application/json" \
  -H "Cookie: session=<your-session-cookie>" \
  -d '{ "role": "staff" }'
Response 200 — returns only the safe user fields.
{
  "user": {
    "id": "usr-11223344-aabb-ccdd-eeff-001122334455",
    "name": "Ana Rodríguez",
    "email": "ana@example.com",
    "role": "staff",
    "emailVerified": true,
    "image": "https://cdn.example.com/avatars/ana.jpg",
    "createdAt": "2024-01-15T09:00:00.000Z"
  }
}
Error Responses

Safe User Response Fields

id
string
UUID of the user.
name
string | null
Display name of the user, if provided during registration.
email
string
Email address used for login and order notifications.
role
string
Current role. One of: customer, staff, admin.
emailVerified
boolean
Whether the user has verified their email address. Unverified users may have limited checkout access depending on store configuration.
image
string | null
URL of the user’s profile avatar, if set (typically populated via OAuth providers). null if not set.
createdAt
string
ISO 8601 timestamp of when the user account was created.

Self-demotion guard: The backend checks whether the :id in the route matches the id of the currently authenticated session user. If they match and the requested role is anything other than admin, the request is rejected with 422 before touching the database. To demote your own account, have another admin perform the update, or temporarily promote a second account to admin first.
The staff role grants broad admin access. Staff users can access every admin route — including listing users, updating roles, confirming payments, and managing orders. Only grant the staff role to team members you fully trust. Treat it with the same care as the admin role; the primary difference is that staff cannot manage other admins through the UI (role update business logic may enforce this in future versions).

Build docs developers (and LLMs) love