Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Paramount-Intelligence/HR_Monitoring_System/llms.txt

Use this file to discover all available pages before exploring further.

The Users API is the central registry for every person in your organisation. It lets authorised callers enumerate the workforce, onboard new employees, manage profile and status fields, and perform administrative security actions — all enforced by a role-based access-control layer that automatically scopes what each caller may see or change.
All endpoints in this section are prefixed with /api/v1/users and require an Authorization: Bearer <token> header obtained from POST /api/v1/auth/login.

Enum Reference

User Roles

ValueDescription
adminFull system access.
hr_operationsHR management access across all employees.
managerManages a team; can approve leave and tasks.
team_leadTechnical lead with partial management rights.
employeeStandard employee.
junior_employeeJunior-level employee.
internIntern; task completion requires manager approval.

User Status

ValueDescription
activeAccount is active and can log in.
inactiveDeactivated account.
suspendedTemporarily suspended.
invitedInvitation sent, account not yet activated.

GET /users

List all users visible to the authenticated caller. Results are automatically scoped by role: Admins and HR see the full directory; Managers see their own reports plus colleagues; Employees see limited colleagues. Auth: Any authenticated user. Scope is enforced server-side.

Query Parameters

role
string
Filter by role. Accepted values: admin, hr_operations, manager, team_lead, employee, junior_employee, intern.
department
string
Filter by department name string (case-insensitive partial match).
manager_id
uuid
Return only direct reports of the specified manager UUID.
status
string
Filter by account status. Accepted values: active, inactive, suspended, invited.

Response Fields

[]
array
Array of UserRead objects.
Example
curl -X GET "https://api.example.com/api/v1/users?role=employee&department=Engineering" \
  -H "Authorization: Bearer <token>"

POST /users

Create a new user account and send an invitation email. The new user must activate their account via the emailed link before they can log in. Auth: admin or hr_operations role required.

Request Body

full_name
string
required
Employee’s full name. 1–255 characters.
email
string
required
Work email address. Must be unique across the organisation.
role
string
required
Initial role. One of admin, hr_operations, manager, team_lead, employee, junior_employee, intern.
password
string
Optional pre-set password (min 8 chars). If omitted, the user sets their password during activation.
phone
string
Contact phone number.
department
string
Department name string (legacy field).
department_id
uuid
Preferred — UUID of the department record.
shift_id
uuid
UUID of the assigned work shift.
designation
string
Job title, e.g. Senior Engineer.
manager_id
uuid
UUID of the direct line manager.

Response Fields

user
UserRead
required
Full profile of the newly created user (see UserRead fields above).
invitation_email_sent
boolean
required
true when the activation email was dispatched successfully.
email_error
string
SMTP error message if the invitation email failed; otherwise null.
debug_token
string
Activation token returned only in development environment — never present in production.
This endpoint is restricted to admin and hr_operations roles. Calling it with any other role returns 403 Forbidden.
Example
curl -X POST "https://api.example.com/api/v1/users" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "full_name": "Ayesha Raza",
    "email": "[email protected]",
    "role": "employee",
    "department_id": "b2c3d4e5-0000-0000-0000-000000000001",
    "shift_id": "a1b2c3d4-0000-0000-0000-000000000002",
    "designation": "Software Engineer",
    "manager_id": "f7e6d5c4-0000-0000-0000-000000000003"
  }'

GET /users/active-directory

Return a minimal directory of users the authenticated caller may message, enriched with live presence and online-state data. Used to populate contact pickers in messaging UIs. Auth: Any authenticated user. Results are RBAC-scoped.

Response Fields

[]
array
Array of UserDirectoryRead objects.
Example
curl -X GET "https://api.example.com/api/v1/users/active-directory" \
  -H "Authorization: Bearer <token>"

GET /users/me

Return the full profile of the currently authenticated user, enriched with live presence and online-state data. Auth: Any authenticated user.

Response Fields

Returns a single UserRead object. See GET /users for the full field list.
Example
curl -X GET "https://api.example.com/api/v1/users/me" \
  -H "Authorization: Bearer <token>"

PATCH /users/me/presence

Update the authenticated user’s real-time presence status. Auth: Any authenticated user.

Request Body

presence_status
string
required
New presence state. Must be active or away.

Response Fields

presence_status
string
required
Updated presence state.
presence_updated_at
datetime
Timestamp of the change.
last_seen_at
datetime
Timestamp of last API activity.
Example
curl -X PATCH "https://api.example.com/api/v1/users/me/presence" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"presence_status": "away"}'

PATCH /users/me/profile

Update the currently authenticated user’s own profile details. Auth: Any authenticated user.

Request Body

full_name
string
required
Updated display name. 1–255 characters.
phone
string
Updated contact phone number. Max 50 characters.

Response Fields

Returns the updated UserRead object.
Example
curl -X PATCH "https://api.example.com/api/v1/users/me/profile" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"full_name": "Ayesha R. Khan", "phone": "+92-300-1234567"}'

PATCH /users/me/profile-picture

Upload a new profile picture for the authenticated user. Accepts a multipart/form-data request with a single file field. Auth: Any authenticated user.

Request Body

file
file
required
Image file to upload (multipart/form-data). JPEG, PNG, and WebP are accepted.

Response Fields

Returns the updated UserRead object with avatar_url and profile_picture_url pointing to the new image.
Example
curl -X PATCH "https://api.example.com/api/v1/users/me/profile-picture" \
  -H "Authorization: Bearer <token>" \
  -F "file=@/path/to/photo.jpg"

DELETE /users/me/profile-picture

Remove the authenticated user’s profile picture, clearing all related fields. Auth: Any authenticated user.

Response Fields

Returns the updated UserRead object with avatar_url set to null.
Example
curl -X DELETE "https://api.example.com/api/v1/users/me/profile-picture" \
  -H "Authorization: Bearer <token>"

POST /users/me/change-password

Change the authenticated user’s own password. Requires the current password for verification. Auth: Any authenticated user.

Request Body

current_password
string
required
The user’s existing password for verification.
new_password
string
required
The desired new password. Minimum 8 characters.
confirm_password
string
required
Must match new_password exactly.

Response Fields

message
string
required
Confirmation message on success.
Returns 400 Bad Request if current_password is incorrect, if new_password and confirm_password do not match, or if the new password is identical to the current one.
Example
curl -X POST "https://api.example.com/api/v1/users/me/change-password" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "current_password": "OldPass123!",
    "new_password": "NewPass456!",
    "confirm_password": "NewPass456!"
  }'

GET /users/

Retrieve the profile of a specific user by their UUID. Access is subject to role-scoping: Employees can only view users within their own visibility boundary; Managers can view their reports; Admins and HR can view anyone. Auth: Any authenticated user. View access is RBAC-scoped.

Path Parameters

user_id
uuid
required
UUID of the target user.

Response Fields

Returns a single UserRead object (see field table under GET /users).
Example
curl -X GET "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6" \
  -H "Authorization: Bearer <token>"

PATCH /users/

Update a user’s profile fields or account status. Callers may only update fields they are authorised to change: Employees can update their own full_name and phone; Managers can update their direct reports; Admins and HR can update any field including role and status. Auth: Any authenticated user. Write permissions are RBAC-enforced per field.

Path Parameters

user_id
uuid
required
UUID of the user to update.

Request Body

full_name
string
Updated display name. 1–255 characters.
phone
string
Updated contact phone number.
department
string
Department name string (legacy).
department_id
uuid
UUID of the new department.
shift_id
uuid
UUID of the new shift.
designation
string
Updated job title.
manager_id
uuid
UUID of the new direct-line manager.
status
string
New account status: active, inactive, suspended, or invited. Admin/HR only.
role
string
New role assignment. Admin/HR only.

Response Fields

Returns the updated UserRead object.
Example
curl -X PATCH "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "designation": "Lead Engineer",
    "shift_id": "d4e5f6a7-0000-0000-0000-000000000004"
  }'

DELETE /users/

Deactivate a user account. This is a soft deactivation — the record is retained for audit history. Auth: admin role required.

Path Parameters

user_id
uuid
required
UUID of the user to deactivate.

Response Fields

Returns the updated UserRead object with status: "inactive".
Example
curl -X DELETE "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6" \
  -H "Authorization: Bearer <token>"

POST /users//suspend

Temporarily suspend a user account, preventing login until the account is reactivated. Auth: admin role required.

Path Parameters

user_id
uuid
required
UUID of the user to suspend.

Query Parameters

reason
string
Optional free-text reason for the suspension, stored in the audit log.

Response Fields

Returns the updated UserRead object with status: "suspended".
Example
curl -X POST "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6/suspend?reason=Policy+violation" \
  -H "Authorization: Bearer <token>"

POST /users//activate

Reactivate a previously deactivated or suspended user account. Auth: Any authenticated user (RBAC-enforced server-side; typically admin or hr_operations).

Path Parameters

user_id
uuid
required
UUID of the user to activate.

Response Fields

Returns the updated UserRead object with status: "active".
Example
curl -X POST "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6/activate" \
  -H "Authorization: Bearer <token>"

POST /users//resend-invite

Resend the invitation / account-setup email to a user whose status is invited. Auth: admin or manager role required. Rate-limited.

Path Parameters

user_id
uuid
required
UUID of the invited user.

Response Fields

message
string
required
Human-readable outcome message.
email_sent
boolean
required
true if the email was dispatched.
email_error
string
SMTP error detail when email_sent is false.
Example
curl -X POST "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6/resend-invite" \
  -H "Authorization: Bearer <token>"

PATCH /users//profile-picture

Upload a profile picture for any user. The caller must be the target user themselves, or hold admin or hr_operations role. Auth: Self, admin, or hr_operations.

Path Parameters

user_id
uuid
required
UUID of the user whose picture should be updated.

Request Body

file
file
required
Image file (multipart/form-data). JPEG, PNG, or WebP.

Response Fields

Returns the updated UserRead object.
Example
curl -X PATCH "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6/profile-picture" \
  -H "Authorization: Bearer <token>" \
  -F "file=@/path/to/photo.jpg"

DELETE /users//profile-picture

Remove a user’s profile picture. The caller must be the target user or hold admin/HR role. Auth: Self, admin, or hr_operations.

Path Parameters

user_id
uuid
required
UUID of the user whose picture should be removed.

Response Fields

Returns the updated UserRead object with avatar_url set to null.
Example
curl -X DELETE "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6/profile-picture" \
  -H "Authorization: Bearer <token>"

GET /users//admin-profile

Retrieve a 360° aggregated profile for an employee, including attendance, leave, tasks, time logs, projects, goals, and notes. Intended for the HR/admin employee-detail view. Auth: admin role required.

Path Parameters

user_id
uuid
required
UUID of the employee.

Query Parameters

start_date
string
Start of the date range for sub-resource queries (ISO-8601 date string).
end_date
string
End of the date range for sub-resource queries (ISO-8601 date string).
limit
integer
Maximum number of records per sub-resource. Default: 50.

Response Fields

profile
UserRead
required
Full user profile.
attendance_summary
object
required
Aggregate attendance statistics for the selected period.
attendance_sessions
array
required
Recent attendance sessions.
breaks
array
required
Recent attendance break records.
leave_requests
array
required
Leave requests for the period.
eod_submissions
array
required
End-of-day report submissions.
tasks
array
required
Assigned tasks.
time_logs
array
required
Time log entries.
projects
array
required
Projects the employee is associated with.
goals
array
required
Personal development goals.
notes
array
required
Personal notes.
activity_timeline
array
required
Chronological activity events for the employee.
Example
curl -X GET "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6/admin-profile?limit=20" \
  -H "Authorization: Bearer <token>"

PATCH /users//role

Change a user’s role. RBAC rules govern which role transitions are permitted. Auth: Any authenticated user (RBAC-enforced; typically admin or hr_operations).

Path Parameters

user_id
uuid
required
UUID of the target user.

Request Body

role
string
required
The new role. One of admin, hr_operations, manager, team_lead, employee, junior_employee, intern.

Response Fields

Returns the updated UserRead object.
Example
curl -X PATCH "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6/role" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"role": "team_lead"}'

PATCH /users//department

Update a user’s department assignment and optional designation. Auth: Any authenticated user (RBAC-enforced).

Path Parameters

user_id
uuid
required
UUID of the target user.

Request Body

department_id
uuid
UUID of the new department. Omit to leave unchanged.
designation
string
Updated job title.
clear_department
boolean
Set to true to remove the user from their current department. Default: false.

Response Fields

Returns the updated UserRead object.
Example
curl -X PATCH "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6/department" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"department_id": "c1d2e3f4-0000-0000-0000-000000000005"}'

PATCH /users//department-details

Update department, shift, manager, and designation in a single call. Intended for the admin employee-detail form. Auth: Any authenticated user (RBAC-enforced).

Path Parameters

user_id
uuid
required
UUID of the target user.

Request Body

department_id
uuid
UUID of the new department.
shift_id
uuid
UUID of the new work shift.
manager_id
uuid
UUID of the new direct-line manager.
designation
string
Updated job title.

Response Fields

Returns the updated UserRead object.
Example
curl -X PATCH "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6/department-details" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "department_id": "c1d2e3f4-0000-0000-0000-000000000005",
    "shift_id": "d4e5f6a7-0000-0000-0000-000000000004",
    "manager_id": "f7e6d5c4-0000-0000-0000-000000000003",
    "designation": "Senior Engineer"
  }'

PATCH /users//status

Directly set a user’s account status. Auth: Any authenticated user (RBAC-enforced).

Path Parameters

user_id
uuid
required
UUID of the target user.

Request Body

status
string
required
New account status: active, inactive, suspended, or invited.

Response Fields

Returns the updated UserRead object.
Example
curl -X PATCH "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6/status" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"status": "active"}'

PATCH /users//reporting

Update a user’s reporting line — manager, shift, and designation — with explicit control flags. Auth: Any authenticated user (RBAC-enforced).

Path Parameters

user_id
uuid
required
UUID of the target user.

Request Body

manager_id
uuid
UUID of the new manager. Only applied when update_manager is true.
shift_id
uuid
UUID of the new shift. Only applied when update_shift is true.
designation
string
Updated job title.
update_manager
boolean
Set to true to apply the manager_id change. Default: false.
update_shift
boolean
Set to true to apply the shift_id change. Default: false.

Response Fields

Returns the updated UserRead object.
Example
curl -X PATCH "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6/reporting" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "manager_id": "f7e6d5c4-0000-0000-0000-000000000003",
    "update_manager": true,
    "designation": "Tech Lead"
  }'

PATCH /users//admin-profile

Update an employee’s core profile fields (name, email, phone, designation) from the admin panel. Auth: Any authenticated user (RBAC-enforced).

Path Parameters

user_id
uuid
required
UUID of the target user.

Request Body

full_name
string
Updated display name. 1–255 characters.
email
string
Updated work email address.
phone
string
Updated contact phone number. Max 50 characters.
designation
string
Updated job title.

Response Fields

Returns the updated UserRead object.
Example
curl -X PATCH "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6/admin-profile" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{"full_name": "Ayesha Raza Khan", "designation": "Principal Engineer"}'

GET /users//permissions

Retrieve the full permission breakdown for a user, showing role-granted permissions, extra grants, explicit denials, and the final resolved permission set. Auth: Any authenticated user (RBAC-enforced).

Path Parameters

user_id
uuid
required
UUID of the target user.

Response Fields

user_id
uuid
required
User identifier.
role
string
required
User’s current role.
role_permissions
array
required
Permissions granted by the user’s role.
extra_permissions
array
required
Additional individually granted permissions.
denied_permissions
array
required
Permissions explicitly denied for this user.
resolved_permissions
array
required
Final effective permission list after applying grants and denials.
Example
curl -X GET "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6/permissions" \
  -H "Authorization: Bearer <token>"

PATCH /users//permissions

Update a user’s individual permission overrides — granting extra permissions above their role, or explicitly denying role-default permissions. Auth: Any authenticated user (RBAC-enforced; typically admin).

Path Parameters

user_id
uuid
required
UUID of the target user.

Request Body

extra_grants
array
List of permission key strings to grant in addition to the role’s defaults. Default: [].
extra_denies
array
List of permission key strings to explicitly deny regardless of role. Default: [].

Response Fields

Returns the updated UserPermissionsRead object (same fields as GET /users/{user_id}/permissions).
Example
curl -X PATCH "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6/permissions" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "extra_grants": ["analytics.view_team"],
    "extra_denies": []
  }'

POST /users//send-password-reset

Send a password-reset link to the user’s registered email address. Auth: Any authenticated user (RBAC-enforced). Rate-limited.

Path Parameters

user_id
uuid
required
UUID of the user who should receive the reset link.

Response Fields

message
string
required
Confirmation message.
email_sent
boolean
required
true if the email was dispatched.
email_error
string
SMTP error detail when email_sent is false.
Example
curl -X POST "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6/send-password-reset" \
  -H "Authorization: Bearer <token>"

POST /users//resend-invitation

Resend the account-setup / invitation link (alias endpoint alongside POST /users/{user_id}/resend-invite). Auth: admin or manager role required. Rate-limited.

Path Parameters

user_id
uuid
required
UUID of the invited user.

Response Fields

message
string
required
Outcome message.
email_sent
boolean
required
true if the email was dispatched.
email_error
string
SMTP error detail when email_sent is false.
Example
curl -X POST "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6/resend-invitation" \
  -H "Authorization: Bearer <token>"

POST /users//force-password-reset

Flag the user’s account so they are forced to set a new password on their next login attempt. Auth: Any authenticated user (RBAC-enforced). Rate-limited.

Path Parameters

user_id
uuid
required
UUID of the target user.

Response Fields

message
string
required
Confirmation message.
email_sent
boolean
required
Whether a notification email was sent.
email_error
string
Error detail if notification email failed.
Example
curl -X POST "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6/force-password-reset" \
  -H "Authorization: Bearer <token>"

GET /users//admin-summary

Retrieve a compact activity summary for an employee, covering attendance, tasks, time logs, leave, projects, and EOD submissions. Optimised for quick-glance dashboard tiles. Auth: Any authenticated user (RBAC-enforced).

Path Parameters

user_id
uuid
required
UUID of the employee.

Response Fields

user_id
uuid
required
Employee identifier.
attendance
object
required
Attendance aggregate statistics.
tasks
object
required
Task count statistics by status.
time_logs
object
required
Time tracking aggregate statistics.
leave
object
required
Leave request statistics.
projects
object
required
Project involvement statistics.
eod
object
required
EOD submission statistics.
last_activity
string
ISO-8601 timestamp of the most recent activity.
account_created_at
datetime
required
When the account was created.
last_login
string
ISO-8601 timestamp of the last login, or null.
Example
curl -X GET "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6/admin-summary" \
  -H "Authorization: Bearer <token>"

GET /users//audit-logs

Retrieve the audit history for a user, listing every admin action taken on or by the account. Auth: Any authenticated user (RBAC-enforced).

Path Parameters

user_id
uuid
required
UUID of the target user.

Query Parameters

limit
integer
Number of log entries to return. Range: 1–500. Default: 100.

Response Fields

[]
array
Array of audit log entries.
Example
curl -X GET "https://api.example.com/api/v1/users/3fa85f64-5717-4562-b3fc-2c963f66afa6/audit-logs?limit=25" \
  -H "Authorization: Bearer <token>"

Standard Error Response

{
  "detail": "You do not have permission to perform this action."
}
Common HTTP status codes for this resource: 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 409 Conflict.

Build docs developers (and LLMs) love

Get started for freeTalk to us