The Users API is the entry point for account management in Credith. It covers the full lifecycle of a user account: creating a new user tied to a store and checkout machine, authenticating with credentials, managing active/inactive status, and updating passwords. Every user is assigned a role (Documentation Index
Fetch the complete documentation index at: https://mintlify.com/RoyGeova07/Credith/llms.txt
Use this file to discover all available pages before exploring further.
EMPLOYEE by default) at registration time, and their identity is carried across requests via two HTTP cookies set during login.
Registering a new user via
POST /api/users does not set any session cookies. After a successful registration, use POST /api/users/login with the same credentials to obtain the token and session cookies needed for authenticated endpoints. There is no separate email-verification or activation step for new accounts.GET /api/users
Retrieves a paginated list of all users. Thepassword field is always excluded from every response. Each user object includes their assigned roles via the users_roles junction table.
Authentication: Not required
Query Parameters
Maximum number of user records to return per page. Defaults to
10.Number of records to skip before starting to collect the result set. Defaults to
0. Use together with limit for pagination.Response
200 OK
Total count of users in the database (before pagination).
Array of user objects for the current page.
Example Response
GET /api/users/:id
Returns a single user record identified by UUID. Thepassword field is excluded, and the full role list for that user is included.
Authentication: Not required
Path Parameters
The unique identifier (
userId) of the user to retrieve.Response
200 OK — Returns the user object (same structure as items in GET /api/users).
404 Not Found
Example Response
GET /api/users/employees
Returns a paginated list of all users, identical in structure toGET /api/users. Roles are included via the junction table.
Authentication: Not required
Query Parameters
Maximum number of records to return per page.
Number of records to skip for pagination.
Response
200 OK — Same shape as GET /api/users: { total, data[] }.
POST /api/users
Registers a new user account. The new user is linked to a specific store and checkout machine, and is automatically assigned a role. If the optionalrole field is omitted or is anything other than ADMIN or EMPLOYEE, the role defaults to EMPLOYEE. OWNER cannot be assigned at registration time.
Authentication: Not required
Request Body
User’s first (given) name. Cannot be blank.
User’s second (middle) name. Cannot be blank.
User’s first surname. Cannot be blank.
User’s second surname. Cannot be blank.
A valid, unique email address. Returns
400 if already registered.Plain-text password. Must be at least 6 characters long. Stored as a bcrypt hash.
UUID of an existing store to associate the user with. Returns
404 if not found.UUID of an existing checkout machine to assign to the user. Returns
404 if not found.Optional desired role. Accepted values:
ADMIN, EMPLOYEE. Any other value (or omission) defaults to EMPLOYEE. OWNER cannot be self-assigned at registration.Response
201 Created
Confirmation message:
"Usuario registrado existosamente".The newly created user object, including
userId and all stored fields. The password field is included in this one-time creation response — store it securely and do not log it.| Status | Condition |
|---|---|
400 | Missing/blank required field, password shorter than 6 chars, or duplicate email |
404 | storeId or checkoutMachineId does not match an existing record |
404 | The resolved role name does not exist in the roles table |
500 | Internal server error |
POST /api/users/login
Authenticates a user with email and password. On success, sets two cookies:| Cookie | HttpOnly | Contents |
|---|---|---|
token | ✅ Yes | Signed JWT. Sent automatically by the browser on subsequent requests. |
session | ❌ No | JSON-encoded session data readable by the frontend (userId, name, role, store, checkout machine). |
maxAge (default: 2 hours, controlled by COOKIE_LIFETIME_HOURS env var).
Authentication: Not required
Request Body
The user’s registered email address.
The user’s plain-text password to verify against the stored bcrypt hash.
Response
200 OK — Cookies are set. Body:
| Status | Condition |
|---|---|
400 | Missing email or password in request body |
404 | Email not found, or password does not match (both return the same generic message to prevent enumeration) |
500 | Internal server error |
POST /api/users/logout
Clears both thetoken (HttpOnly JWT) and session cookies from the client. No request body is needed. This endpoint does not require authentication — calling it when already logged out is a no-op.
Authentication: Not required (but typically called from an authenticated session)
Response
200 OK
cURL Example
PUT /api/users/update-password
Updates the authenticated user’s password. The user is identified from the JWT payload (req.user.id) — the path carries no :id parameter. Both the current password (to confirm identity) and the desired new password must be provided.
Authentication: ✅ Required — valid token cookie
Request Body
The user’s current plain-text password. Must match the stored bcrypt hash or the request is rejected with
400.The desired new password. Must be at least 6 characters long. Stored as a new bcrypt hash.
Response
200 OK
| Status | Condition |
|---|---|
400 | newPassword is fewer than 6 characters |
400 | currentPassword does not match the stored hash |
401 | Missing or invalid token cookie |
404 | Authenticated user ID not found in the database |
500 | Internal server error |
cURL Example
PUT /api/users/desactivate/:id
Sets theisActive flag to false on the specified user account. The user record is not deleted — it remains in the database and can be reactivated. Attempting to deactivate an already-inactive user returns a 400 error.
Authentication: ✅ Required — valid token cookie
Path Parameters
The
userId of the user to deactivate.Response
200 OK
| Status | Condition |
|---|---|
400 | User is already inactive |
401 | Missing or invalid token cookie |
404 | No user found for the given UUID |
500 | Internal server error |
cURL Example
PUT /api/users/activate/:id
Sets theisActive flag back to true on a previously deactivated user. Attempting to activate an already-active user returns a 400 error.
Authentication: ✅ Required — valid token cookie
Path Parameters
The
userId of the user to reactivate.Response
200 OK
| Status | Condition |
|---|---|
400 | User is already active |
401 | Missing or invalid token cookie |
404 | No user found for the given UUID |
500 | Internal server error |
cURL Example