IdentityUser. They carry all standard Identity fields (username, email, password hash, etc.) plus three additional fields specific to WebCorporativa: a profile reference, an active flag, and an optional avatar URL.
User model
| Field | Type | Constraints | Description |
|---|---|---|---|
UserName | string | Inherited from Identity, unique | Login identifier. This is what users provide at login, not email. |
Email | string | Inherited from Identity | Stored for contact purposes; not used for login. |
IdPerfil | int | Foreign key to PerfilModel | The profile assigned to this user. Determines all permissions. |
Activo | bool | Default: true | When false, login is blocked even with valid credentials. |
Imagen | string? | Nullable, Cloudinary URL | User avatar URL. null if no image has been uploaded. |
Login identifier
WebCorporativa usesUserName — not Email — as the login identifier. When a user submits credentials to POST /api/Auth, the userName field in the request body must match the UserName stored in the database.
Email is stored on the user record and visible via the user management endpoints, but it plays no role in authentication or authorization.
Active status
TheActivo flag controls whether a user can authenticate. When Activo = false, the login endpoint rejects the credentials and does not issue a token, even if the username and password are correct.
Use this flag to:
- Temporarily suspend access without deleting the account
- Disable accounts during offboarding workflows
- Block access immediately when
BitAdministradorescalation is a concern
Profile assignment
Every user has exactly one profile, referenced byIdPerfil. The profile determines the full set of permissions the user receives when they log in. You assign the profile at creation time; to change it later, update the user’s IdPerfil via the /api/Usuario endpoints.
The permission set from the assigned profile is embedded into the JWT at login. If the profile has BitAdministrador = true, all module permissions are automatically granted. See Profiles for details.
Avatar images
TheImagen field stores a Cloudinary URL. Users do not upload image files directly — instead, you submit a Base64-encoded image string through the user update endpoint. The API handles the Cloudinary upload and stores the resulting URL.
Accepted format
Base64-encoded image string. Submitted as part of the request body.
Size limit
Maximum 2 MB. Requests exceeding this limit are rejected.
Output dimensions
Images are automatically resized to 200×200 px by Cloudinary.
Stored value
The
Imagen field is set to the Cloudinary delivery URL returned after upload.If Cloudinary credentials are not configured at startup, image upload requests will fail. All other user operations work normally. See Configuration for the required environment variables.
Default seeded user
The API seeds one user on first startup:| Field | Value |
|---|---|
UserName | admin |
Email | admin@empresa.com |
IdPerfil | ID of the Administrador Master profile |
Activo | true |
Creating users
New users are created viaPOST /api/Auth/register. This endpoint requires the caller to have the usuario.agregar permission — meaning only users with a profile that grants that permission (or an administrator profile) can register new accounts.
Registration is a protected operation — it is not an open sign-up endpoint. A valid JWT with
usuario.agregar must be present in the Authorization header.Managing users
Register a user
Create a new user account with a profile assignment.
List users
Retrieve all user accounts.
Update a user
Update fields including active status, profile, and avatar.
Delete a user
Permanently remove a user account.
Related pages
Profiles
How profiles group permissions and how they are assigned to users.
Authentication overview
The login flow and how user credentials are validated.
Permissions
How the assigned profile’s permissions are embedded in the JWT.