The Users API covers two distinct access patterns: self-service profile management for any authenticated user, and administrative user operations restricted to theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/IvanchoDev89/maleku-system/llms.txt
Use this file to discover all available pages before exploring further.
super_admin role. All write endpoints are rate-limited and validate input against SQL injection and weak-password patterns before persisting data.
Own Profile
GET /api/v1/users/me
The primary “get my profile” route is served from the Auth router atGET /api/v1/auth/me. It returns the full user object for the currently authenticated user.
Response
PUT /api/v1/users/
Update a user’s profile fields. When called by asuper_admin this endpoint can update any user. Rate-limited to 10 requests per minute.
Request body — UserUpdate
User’s full name. Minimum 2 characters, maximum 255. HTML and SQL injection patterns are rejected.
Contact phone number. Minimum 8 characters, maximum 20.
Profile avatar URL. Must start with
http://, https://, or /. javascript: and data: protocols are blocked.UserResponse object.
DELETE /api/v1/users/me
Account deletion is handled via the Auth router. Self-service account deletion marks the account for removal.Admin Operations
All endpoints in this section require thesuper_admin role. Calls with any other token role receive 403 Forbidden.
GET /api/v1/users/
List all users with pagination. Results are ordered bycreated_at descending.
Page number. Minimum: 1.
Items per page. Range: 1–100.
PaginatedResponse
GET /api/v1/users/
Get a user by UUID. A user can view their own profile with their token. Viewing any other user’s profile requires thesuper_admin role.
Response — UserResponse
PUT /api/v1/users/
Update any user’s profile. Requiressuper_admin role. Can modify full_name, phone, and avatar_url. Rate-limited to 10 requests per minute.
DELETE /api/v1/users/
Deactivate a user account (setsis_active = false). Requires super_admin role. A Super Admin cannot delete their own account via this endpoint — the API returns 400 Bad Request if user_id matches the authenticated user.
Response
POST /api/v1/users//activate
Reactivate a previously deactivated user account. Requiressuper_admin role. Rate-limited to 10 requests per minute.
Response
POST /api/v1/users//role
Change a user’s role. Requiressuper_admin role. Rate-limited to 10 requests per minute.
The new role value. Valid roles:
client, vendor, admin, super_admin.POST /api/v1/users//anonymize
Permanently anonymize all personal data for a user for GDPR compliance. Requiressuper_admin role. Rate-limited to 5 requests per minute.
The anonymized email is set to deleted-{random_hex}@anonymized.com and the full name becomes "Deleted User". Associated bookings have guest_name set to "Anonymized" and reviews have their content replaced with "This review has been anonymized.".
Response
UserResponse Schema
Unique user identifier.
Email address (used as the login identifier).
User’s full name.
Contact phone number.
User role:
client, vendor, admin, or super_admin.Whether the account is active. Deactivated accounts cannot log in.
Whether the user has verified their email address.
Profile image URL.
ISO 8601 timestamp of account creation.