The Superadmin API provides unrestricted, platform-wide access to all entities and operational data on Maleku System. Every endpoint in this section is protected by theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/IvanchoDev89/maleku-system/llms.txt
Use this file to discover all available pages before exploring further.
require_superadmin dependency — the token’s role must be exactly super_admin. These endpoints exist outside the normal vendor/client scope and are intended exclusively for internal platform operations.
All mutating operations (create, update, delete) on core platform models are automatically logged to the audit trail via
AuditService. Every state change records the actor’s user ID, the old and new values, a plain-text changes summary, the originating IP address, and a UTC timestamp. These logs are immutable and cannot be deleted via the API.Users
GET /api/v1/superadmin/users
List all users with comprehensive filtering, sorting, and pagination. Returns a flat array ofUserListItem objects, each augmented with vendor_count and booking_count computed via correlated subqueries.
Search by email address or full name (ILIKE).
Filter by role:
client, vendor, admin, super_admin.Filter by active status.
Filter by email verification status.
Sort field (any column on the
users table).Sort direction:
asc or desc.Items per page. Range: 1–100.
Records to skip.
UserListItem[]
GET /api/v1/superadmin/users/count
Get the total count of users matching the same filter parameters as the list endpoint. Returns{ "count": 1840 }.
GET /api/v1/superadmin/users/
Get detailed information about a specific user, includingfailed_login_attempts and locked_until fields not exposed in the public user response.
Response — UserDetail
POST /api/v1/superadmin/users
Create a new user directly. Pre-verified (skips email verification flow). Rate-limited to 10 requests per minute.PUT /api/v1/superadmin/users/
Update any user’s role, status, email, or verification flag. All changes are captured in the audit log with old and new values. Rate-limited to 10 requests per minute.DELETE /api/v1/superadmin/users/
Permanently delete a user record. Cannot delete your own account or othersuper_admin accounts. This action is logged before the database deletion.
GET /api/v1/superadmin/users//activity
Get the audit activity history for a specific user (actions they performed). Returns up to 100 entries per page.POST /api/v1/superadmin/users//block
Suspend a user account with a reason and optional duration. Setsis_active = false and optionally sets locked_until. Generates both an audit log entry and a security log entry with critical severity.
POST /api/v1/superadmin/users//unblock
Reactivate a blocked account. Clearslocked_until and resets failed_login_attempts to 0.
POST /api/v1/superadmin/users//impersonate
Generate a short-lived (1 hour) impersonation access token for debugging user-reported issues. Cannot impersonatesuper_admin or inactive accounts. Every impersonation attempt is audited.
Vendors
GET /api/v1/superadmin/vendors
List all vendors including pending, suspended, and rejected accounts (unlike the public/vendors/ endpoint which only returns active vendors). Supports comprehensive filtering and sorting.
Filter by vendor status:
all, pending, active, suspended, rejected.Sort field:
created_at, name, rating, bookings.asc or desc.Search by business name or owner email.
Return only featured vendors.
Range: 1–200.
Records to skip.
GET /api/v1/superadmin/vendors/pending
List vendors withstatus = pending ordered oldest-first (priority queue). Returns full VendorDetailResponse including compliance flags, owner info, and booking/review stats calculated via batch queries.
GET /api/v1/superadmin/vendors/
Get full vendor detail including compliance flags fromVendorService.run_compliance_check(), owner contact information, and aggregated statistics (total bookings, revenue, completed/cancelled breakdown, average rating).
POST /api/v1/superadmin/vendors//approval
Process a vendor lifecycle action. Rate-limited to 10 requests per minute. All actions are audited. Valid state transitions:| Action | From status | To status |
|---|---|---|
approve | pending | active |
reject | pending | rejected |
suspend | active | suspended |
reactivate | suspended | active |
POST /api/v1/superadmin/vendors//feature
Toggle a vendor’s featured status. Onlyactive vendors can be featured. Audited.
GET /api/v1/superadmin/vendors/analytics/overview
Platform-wide vendor analytics including status counts, top performers by revenue, recent registrations, bookings by month (last 12 months), and revenue broken down bybusiness_type.
Look-back period for trend data. Range: 1–365.
POST /api/v1/superadmin/vendors//compliance-check
Run an on-demand compliance check on a vendor. Updateslast_compliance_check timestamp and returns any flags raised. Rate-limited to 10 requests per minute.
Bookings
GET /api/v1/superadmin/bookings
List all bookings platform-wide with filtering and pagination. Results ordered bycreated_at descending.
Filter by booking status:
pending, confirmed, completed, cancelled.Filter by booking type (e.g.
property, tour, vehicle).Search by
guest_name or guest_email (ILIKE).Page number.
Items per page. Range: 1–100.
BookingListResponse
GET /api/v1/superadmin/bookings/
Get full booking detail includingguest_phone, guest_notes, subtotal, commission_amount, confirmation_code, cancellation_reason, and timestamps for confirmed_at and cancelled_at.
PUT /api/v1/superadmin/bookings//status
Override a booking’s status. Rate-limited to 10 requests per minute.DELETE /api/v1/superadmin/bookings/
Permanently delete a booking record. Rate-limited to 10 requests per minute.Audit Logs
POST /api/v1/superadmin/audit/logs
Record a client-side security event reported by the frontend (e.g. a middleware access denial). Theevent_type string is mapped to a known AuditAction enum value before storage — free-form text is captured in changes_summary only. Events containing denied or deny also create a SecurityLog entry with warning severity; events with blocked or suspicious create one with critical severity. Rate-limited to 30 requests per minute. Requires any authenticated user.
Request body
GET /api/v1/superadmin/audit/logs
Query the audit trail with comprehensive filtering. Returns entries in reverse chronological order.Filter by the user who performed the action.
Filter by action type:
create, update, delete, view, approve, reject, suspend, activate, impersonate, export, etc.Filter by entity type (e.g.
user, vendor, booking, destination).Filter to a specific entity.
ISO 8601 start date for the query window.
ISO 8601 end date.
Search within
changes_summary and entity_name (ILIKE).Range: 1–500.
Records to skip.
GET /api/v1/superadmin/audit/logs/count
Get the total count of audit log entries matching the same filters as the list endpoint.GET /api/v1/superadmin/audit/logs/
Get detailed information about a single audit log entry.Security Logs
GET /api/v1/superadmin/audit/security
Query security events such as login failures, access denials, and account lockouts.Filter by user.
Security action type (e.g.
login_failure, access_denied, account_locked, suspicious_activity).Filter by severity:
info, warning, or critical.Filter by originating IP address.
Date range filter.
GET /api/v1/superadmin/audit/security/failed-logins
Get failed login attempts for brute-force detection. Whengroup_by_ip=true, groups results by IP address and only returns IPs with 3 or more failures.
Look-back period. Range: 1–168 (1 week).
Group results by IP address to identify coordinated attacks.
GET /api/v1/superadmin/audit/summary
Get aggregate statistics for the audit and security log dashboards.POST /api/v1/superadmin/audit/export
Export audit or security logs as JSON or CSV. Streams up to 5,000 records per request. The export action itself is logged. Rate-limited to 5 requests per minute.Content
Blog posts are managed via the standard blog endpoints, which require anadmin or super_admin role for write operations:
| Method | Path | Description |
|---|---|---|
GET | /api/v1/blog/ | List published blog posts (public) |
POST | /api/v1/blog/ | Create a blog post (Admin) |
GET | /api/v1/blog/{id} | Get post by ID |
GET | /api/v1/blog/slug/{slug} | Get post by slug |
PUT | /api/v1/blog/{id} | Update post (Admin) |
DELETE | /api/v1/blog/{id} | Delete post (Admin) |
POST/PUT/DELETE /api/v1/destinations/ — see the Destinations API for full reference.
Analytics
The Analytics API provides platform-wide metrics for Admin and Super Admin dashboards. Requiresadmin or super_admin role.
GET /api/v1/analytics/overview
Single-query aggregate stats across users, vendors, and bookings. Response —OverviewStats
GET /api/v1/analytics/revenue
Daily revenue time series for the specified look-back period.Number of days to look back (e.g.
7, 30, 90).RevenueData objects: { date, gross_revenue, net_revenue, bookings_count }.
GET /api/v1/analytics/bookings/by-status
Booking counts and revenue grouped by status (pending, confirmed, completed, cancelled).
GET /api/v1/analytics/top-vendors
Top vendors ranked by total revenue from completed bookings.Number of vendors to return. Range: 1–50.
TopVendorData[]: { vendor_id, vendor_name, total_bookings, total_revenue }.
GET /api/v1/analytics/users/stats
User growth stats: total users, new today/this week/this month, and a breakdown by role.GET /api/v1/analytics/bookings/trends
Daily booking counts for the specified period.Number of days to look back.