Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/IvanchoDev89/maleku-system/llms.txt

Use this file to discover all available pages before exploring further.

The Users API covers two distinct access patterns: self-service profile management for any authenticated user, and administrative user operations restricted to the super_admin role. All write endpoints are rate-limited and validate input against SQL injection and weak-password patterns before persisting data.

Own Profile

GET /api/v1/users/me

The primary “get my profile” route is served from the Auth router at GET /api/v1/auth/me. It returns the full user object for the currently authenticated user. Response
{
  "id": "f9e8d7c6-...",
  "email": "traveller@example.com",
  "full_name": "Ana González",
  "phone": "+50688990011",
  "role": "client",
  "is_active": true,
  "is_verified": true,
  "avatar_url": "https://cdn.maleku.dev/avatars/ana.jpg",
  "created_at": "2024-03-01T10:00:00Z"
}

PUT /api/v1/users/

Update a user’s profile fields. When called by a super_admin this endpoint can update any user. Rate-limited to 10 requests per minute.
Only a Super Admin can call PUT /api/v1/users/{user_id}. Regular users should update their own profiles via the Auth endpoints. Attempting to update another user’s profile without the super_admin role returns 403 Forbidden.
Request body — UserUpdate
full_name
string
User’s full name. Minimum 2 characters, maximum 255. HTML and SQL injection patterns are rejected.
phone
string
Contact phone number. Minimum 8 characters, maximum 20.
avatar_url
string
Profile avatar URL. Must start with http://, https://, or /. javascript: and data: protocols are blocked.
Response — updated UserResponse object.

DELETE /api/v1/users/me

Account deletion is handled via the Auth router. Self-service account deletion marks the account for removal.

Admin Operations

All endpoints in this section require the super_admin role. Calls with any other token role receive 403 Forbidden.

GET /api/v1/users/

List all users with pagination. Results are ordered by created_at descending.
page
integer
default:"1"
Page number. Minimum: 1.
page_size
integer
default:"20"
Items per page. Range: 1–100.
Response — PaginatedResponse
{
  "items": [
    {
      "id": "f9e8d7c6-...",
      "email": "traveller@example.com",
      "full_name": "Ana González",
      "phone": "+50688990011",
      "role": "client",
      "is_active": true,
      "is_verified": true,
      "avatar_url": null,
      "created_at": "2024-03-01T10:00:00Z"
    }
  ],
  "total": 1840,
  "page": 1,
  "page_size": 20,
  "total_pages": 92,
  "has_next": true,
  "has_prev": false
}

GET /api/v1/users/

Get a user by UUID. A user can view their own profile with their token. Viewing any other user’s profile requires the super_admin role. Response — UserResponse
{
  "id": "f9e8d7c6-...",
  "email": "traveller@example.com",
  "full_name": "Ana González",
  "phone": "+50688990011",
  "role": "client",
  "is_active": true,
  "is_verified": true,
  "avatar_url": "https://cdn.maleku.dev/avatars/ana.jpg",
  "created_at": "2024-03-01T10:00:00Z"
}

PUT /api/v1/users/

Update any user’s profile. Requires super_admin role. Can modify full_name, phone, and avatar_url. Rate-limited to 10 requests per minute.

DELETE /api/v1/users/

Deactivate a user account (sets is_active = false). Requires super_admin role. A Super Admin cannot delete their own account via this endpoint — the API returns 400 Bad Request if user_id matches the authenticated user. Response
{ "message": "User deactivated" }

POST /api/v1/users//activate

Reactivate a previously deactivated user account. Requires super_admin role. Rate-limited to 10 requests per minute. Response
{
  "message": "User activated",
  "is_active": true
}

POST /api/v1/users//role

Change a user’s role. Requires super_admin role. Rate-limited to 10 requests per minute.
role
string
required
The new role value. Valid roles: client, vendor, admin, super_admin.
Response
{
  "message": "User role changed to vendor",
  "user_id": "f9e8d7c6-...",
  "new_role": "vendor"
}

POST /api/v1/users//anonymize

Permanently anonymize all personal data for a user for GDPR compliance. Requires super_admin role. Rate-limited to 5 requests per minute.
Anonymization is irreversible. This action replaces the user’s email, name, phone, and avatar with anonymized placeholders, clears the password hash, and anonymizes all linked booking and review records. The operation is logged for the audit trail.
The anonymized email is set to deleted-{random_hex}@anonymized.com and the full name becomes "Deleted User". Associated bookings have guest_name set to "Anonymized" and reviews have their content replaced with "This review has been anonymized.". Response
{ "message": "User data anonymized for GDPR compliance" }

UserResponse Schema

id
UUID
Unique user identifier.
email
string
Email address (used as the login identifier).
full_name
string
User’s full name.
phone
string | null
Contact phone number.
role
string
User role: client, vendor, admin, or super_admin.
is_active
boolean
Whether the account is active. Deactivated accounts cannot log in.
is_verified
boolean
Whether the user has verified their email address.
avatar_url
string | null
Profile image URL.
created_at
datetime
ISO 8601 timestamp of account creation.

Build docs developers (and LLMs) love