The Users API covers two closely related modules: usuarios (account management) and perfil (profile data). Account operations—creating, updating, disabling, and deleting users—are restricted to Administrators (roleDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Nieto2020/portalhub/llms.txt
Use this file to discover all available pages before exploring further.
1). Profile reads and updates are available to any authenticated user acting on their own record.
All endpoints communicate via JSON unless otherwise noted. The server uses PHP sessions for authentication; your client must send a valid session cookie on every request.
Role constants
| Constant | id_rol | Description |
|---|---|---|
ROL_ADMIN | 1 | Full administrative access |
ROL_ASESOR | 2 | Advisor — manages assigned clients |
ROL_CLIENTE | 3 | End-client — limited to own data |
GET /backend/modules/usuarios/listar.php
List all users registered in the system, including their role name and account status. Required role: Admin (1) or Asesor (2)
Advisors can call this endpoint to look up client
id_usuario values, but they have no write permissions over user records.Request
No request body. No query parameters required.Response
Auto-incremented primary key for the user record.
The user’s unique email address used for login.
Optional client reference number. Unique across all users.
Account status:
activo or inactivo.UTC timestamp of when the account was created.
Human-readable role name from
cat_roles (e.g., "Admin", "Asesor", "Cliente").Error responses
| HTTP | Message |
|---|---|
401 | No autorizado. Inicie sesión Primero. |
403 | Acceso denegado. Permisos insuficientes. |
500 | Error en el servidor: <detail> |
POST /backend/modules/usuarios/crear.php
Create a new user account. The new account is created withrequire_password_change = 1, forcing the user to set their own password on first login.
Required role: Admin (1) only
Request body
A unique, valid email address for the new user. Duplicate emails are rejected with HTTP 400.
The initial password. Stored as a bcrypt hash. The user will be prompted to change this on first login.
Role assignment:
1 = Admin, 2 = Asesor, 3 = Cliente.Optional client reference number. Must be unique system-wide if provided.
Error responses
| HTTP | Message |
|---|---|
400 | Faltan campos requeridos |
400 | Formato de correo inválido |
400 | El correo ya está registrado |
401 | No autorizado. Inicie sesión Primero. |
403 | Acceso denegado. Permisos insuficientes. |
405 | Método no permitido |
500 | Error en el servidor: <detail> |
PUT /backend/modules/usuarios/actualizar.php
Update an existing user’s email, role, status, and optional client number. Optionally set a new temporary password (which also setsrequire_password_change = 1).
Required role: Admin (1) only
Request body
The ID of the user to update.
New or existing email address. Must be unique across all users except the target record.
Updated role:
1 = Admin, 2 = Asesor, 3 = Cliente.Must be one of
"activo" or "inactivo". Any other value returns HTTP 400.Optional client reference number. Must be unique if provided.
Optional. When provided, the password is hashed and stored, and
require_password_change is set to 1.Error responses
| HTTP | Message |
|---|---|
400 | Faltan campos requeridos |
400 | Formato de correo inválido |
400 | Estado no válido |
400 | El correo ya está registrado por otro usuario |
400 | El número de cliente ya está registrado por otro usuario |
404 | Usuario no encontrado o sin cambios |
405 | Método no permitido |
500 | Ocurrió un error interno al actualizar el usuario |
DELETE /backend/modules/usuarios/eliminar.php
Permanently delete a user record. This action is irreversible. Required role: Admin (1) only
Query parameters
The
id_usuario of the user to delete.Error responses
| HTTP | Message |
|---|---|
400 | ID de usuario no proporcionado |
404 | Usuario no encontrado |
405 | Método no permitido |
500 | Error en el servidor: <detail> |
POST /backend/modules/usuarios/gestionar_estado.php
Activate or deactivate a user account without deleting the record. Deactivated users (inactivo) cannot log in.
Required role: Admin (1) only
Request body
The ID of the user whose status will change.
Action to perform. Use
"activar" to enable the account or "desactivar" to disable it. Defaults to "desactivar" if omitted.Error responses
| HTTP | Message |
|---|---|
400 | ID de usuario no proporcionado |
404 | Usuario no encontrado o ya se encontraba en ese estado |
405 | Método no permitido |
500 | Error en el servidor: <detail> |
POST /backend/modules/usuarios/reset_password_admin.php
Generate a random 10-character temporary password for a user and setrequire_password_change = 1. The temporary password is returned in plaintext in the response once — it is never stored in plaintext. An audit entry is inserted into reset_logs.
Required role: Admin (1) only
Request body
The ID of the user whose password will be reset.
A cryptographically random 10-character string drawn from alphanumeric and special characters (
0-9, a-z, A-Z, !@#$%^&*). Only ever returned once.Error responses
| HTTP | Message |
|---|---|
400 | Faltan campos requeridos |
404 | Usuario no encontrado |
405 | Método no permitido |
500 | Error en el servidor: <detail> |
GET /backend/modules/usuarios/listar_reset_logs.php
Return the 50 most recent password reset events, ordered by most recent first. Each log entry identifies both the administrator who performed the reset and the user whose password was changed. Required role: Admin (1) only
Request
No parameters required.Auto-incremented log entry identifier.
Timestamp when the reset was performed (Mexico City timezone).
Email of the administrator who triggered the reset.
Email of the user whose password was reset.
id_usuario of the affected user.Client reference number of the affected user, if assigned.
Role name of the affected user.
Error responses
| HTTP | Message |
|---|---|
401 | No autorizado. Inicie sesión Primero. |
403 | Acceso denegado. Permisos insuficientes. |
405 | Método no permitido |
500 | Error en el servidor: <detail> |
GET /backend/modules/perfil/obtener.php
Retrieve the authenticated user’s own profile, including account details joined fromusuarios and extended profile data from perfiles.
Authentication: Any authenticated user (checkAuth)
Profile data is stored in a separate
perfiles table linked by id_usuario. If the user has never saved a profile, the perfiles fields will be null in the response.Request
No parameters. The user ID is derived from the active session ($_SESSION['id_usuario']).
Login email from
usuarios.Numeric role ID.
Human-readable role name.
Auto-incremented primary key of the
perfiles row. null if no profile row exists yet.id_usuario from the perfiles row. Matches the session user. null if no profile row exists yet.Full name of the user.
Contact phone number.
Path to the profile photo file, if uploaded.
Asesor-only field: area of specialization.
Asesor-only field: professional biography.
Cliente-only field: Mexican tax ID (RFC), up to 13 characters.
Cliente-only field: registered business name.
Cliente-only field: fiscal address.
Timestamp of the last profile update.
null if no profile row exists yet.Error responses
| HTTP | Message |
|---|---|
401 | No autorizado. Inicie sesión Primero. |
403 | Cambio de contraseña obligatorio |
404 | Perfil no encontrado |
500 | Error en el servidor: <detail> |
POST /backend/modules/perfil/actualizar.php
Create or update the authenticated user’s profile using anINSERT ... ON DUPLICATE KEY UPDATE pattern. Role-specific fields are automatically included or excluded based on the session role.
Authentication: Any authenticated user (checkAuth)
Request body
Full name of the user. Maximum 255 characters.
Contact phone number. Maximum 20 characters.
Error responses
| HTTP | Message |
|---|---|
400 | El nombre completo es obligatorio |
401 | No autorizado. Inicie sesión Primero. |
403 | Cambio de contraseña obligatorio |
405 | Método no permitido |
500 | Error al guardar el perfil: <detail> |