Users API: Auth, TOTP, Sessions & Admin

The Users API covers the full lifecycle of a Termix user: registration, login (password and OIDC), two-factor authentication via TOTP, session and API key management, and admin operations such as promoting users and deleting accounts. Most endpoints require a valid JWT cookie or Authorization: Bearer header; endpoints marked admin only additionally require isAdmin: true on the authenticated user.

All authenticated endpoints read the session from a jwt HttpOnly cookie set at login. You can also pass the token as Authorization: Bearer <token>.

POST /users/create

Create a new user account. The first user to register is automatically granted admin privileges. Registration can be disabled by an admin.

username

string

required

Unique username for the new account.

password

string

required

Plain-text password. Hashed with bcrypt before storage.

message

string

Confirmation string, e.g. "User created".

is_admin

boolean

true when the newly created user was automatically promoted to admin (first user).

toast

object

UI hint object with type and message fields.

Status	Meaning
`200`	User created successfully.
`400`	`username` or `password` is missing or empty.
`403`	Registration is currently disabled.
`409`	Username already exists.
`500`	Internal error during account creation.

curl -X POST https://your-termix-instance/users/create \
  -H "Content-Type: application/json" \
  -d '{"username": "alice", "password": "s3cr3t!"}'

Authenticate with a username and password. Sets a jwt HttpOnly cookie on success. If the account has TOTP enabled and the device is not trusted, a temporary token is returned instead and the client must complete TOTP verification.

username

string

required

The account username.

password

string

required

The account password.

rememberMe

boolean

When true, extends the session cookie to 30 days instead of the configured timeout.

success

boolean

true on successful authentication.

is_admin

boolean

Whether the authenticated user has admin privileges.

username

string

The authenticated username.

requires_totp

boolean

Present and true when TOTP verification is required before full login.

temp_token

string

Short-lived JWT (10 minutes) used to complete TOTP verification. Only present when requires_totp is true.

Status	Meaning
`200`	Login successful (or TOTP step required).
`400`	Missing or empty `username` / `password`.
`401`	Invalid credentials.
`403`	Password authentication is disabled, or user is OIDC-only.
`429`	Too many failed attempts — rate limited.
`500`	Internal login error.

curl -X POST https://your-termix-instance/users/login \
  -H "Content-Type: application/json" \
  -c cookies.txt \
  -d '{"username": "alice", "password": "s3cr3t!", "rememberMe": false}'

POST /users/logout

Invalidate the current session and clear the jwt cookie.

Status	Meaning
`200`	Logged out successfully.
`500`	Logout failed.

curl -X POST https://your-termix-instance/users/logout \
  -b cookies.txt

Current user

GET /users/me

Return profile information about the currently authenticated user.

userId

string

Unique user ID.

username

string

Display name.

is_admin

boolean

Admin status.

is_oidc

boolean

Whether the account uses OIDC authentication.

is_dual_auth

boolean

Whether the account has both a password and OIDC configured.

totp_enabled

boolean

Whether two-factor authentication is active.

data_unlocked

boolean

Whether encrypted user data is currently decrypted in memory.

Status	Meaning
`200`	User info returned.
`401`	Invalid or missing session.
`500`	Internal error.

curl https://your-termix-instance/users/me \
  -b cookies.txt

GET /users/setup-required

Check whether the instance needs initial setup (no users exist yet). No authentication required.

setup_required

boolean

true when the user table is empty.

curl https://your-termix-instance/users/setup-required

GET /users/count

Return the total number of registered users. Requires admin.

count

number

Total user count.

Status	Meaning
`200`	Count returned.
`403`	Admin access required.

curl https://your-termix-instance/users/count \
  -b cookies.txt

GET /users/db-health

Verify the database is reachable. Requires admin.

status

string

"ok" when the database is accessible.

curl https://your-termix-instance/users/db-health \
  -b cookies.txt

GET /users/data-status

Check whether encrypted user data is currently unlocked in memory.

unlocked

boolean

true when the data key is held in memory.

message

string

Human-readable status description.

curl https://your-termix-instance/users/data-status \
  -b cookies.txt

POST /users/unlock-data

Re-authenticate with a password to decrypt the user’s encrypted data in memory without creating a new session.

password

string

required

The user’s current password.

success

boolean

true when data was unlocked.

Status	Meaning
`200`	Data unlocked.
`400`	Password is missing.
`401`	Incorrect password.
`500`	Internal error.

curl -X POST https://your-termix-instance/users/unlock-data \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"password": "s3cr3t!"}'

Password management

POST /users/change-password

Change the current user’s password. Re-encrypts all user data with the new password and invalidates all existing sessions.

oldPassword

string

required

The current password used for verification.

newPassword

string

required

The desired new password.

Status	Meaning
`200`	Password changed; all sessions invalidated.
`400`	`oldPassword` or `newPassword` is missing.
`401`	Incorrect current password.
`500`	Re-encryption of data failed.

curl -X POST https://your-termix-instance/users/change-password \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"oldPassword": "s3cr3t!", "newPassword": "n3wP@ss!"}'

POST /users/initiate-reset

Start the password reset flow for a username. Generates a 6-digit code written to server logs (check Docker logs). The code expires after 15 minutes. No authentication required.

username

string

required

Username of the account to reset.

The reset code is printed to server logs, not sent by email. Check docker logs or your logging aggregator.

Status	Meaning
`200`	Reset code generated (or non-committal response for security).
`400`	Username is missing.
`403`	Password reset is disabled.

curl -X POST https://your-termix-instance/users/initiate-reset \
  -H "Content-Type: application/json" \
  -d '{"username": "alice"}'

POST /users/verify-reset-code

Verify the reset code received from server logs. Returns a short-lived tempToken (10 minutes) to be used in the final step.

username

string

required

Username of the account being reset.

resetCode

string

required

6-digit code from server logs.

tempToken

string

Short-lived token used to complete the reset.

Status	Meaning
`200`	Code verified.
`400`	Invalid, expired, or missing code.
`429`	Rate limited.

curl -X POST https://your-termix-instance/users/verify-reset-code \
  -H "Content-Type: application/json" \
  -d '{"username": "alice", "resetCode": "482910"}'

POST /users/complete-reset

Complete the password reset using the tempToken from the previous step.

If the user is not currently logged in, all encrypted data (hosts, credentials, etc.) will be deleted because the old data key cannot be derived without the original password.

username

string

required

Username of the account being reset.

tempToken

string

required

Token returned by POST /users/verify-reset-code.

newPassword

string

required

The new password to set.

Status	Meaning
`200`	Password reset successfully.
`400`	Missing fields or expired token.
`404`	User not found.
`500`	Re-encryption failed.

curl -X POST https://your-termix-instance/users/complete-reset \
  -H "Content-Type: application/json" \
  -d '{"username": "alice", "tempToken": "<token>", "newPassword": "n3wP@ss!"}'

GET /users/registration-allowed

Check whether open registration is currently enabled. No authentication required.

allowed

boolean

true when new users can register.

curl https://your-termix-instance/users/registration-allowed

PATCH /users/registration-allowed

Enable or disable user registration. Requires admin.

allowed

boolean

required

true to allow registration; false to block it.

Status	Meaning
`200`	Setting updated.
`400`	`allowed` is not a boolean.
`403`	Admin only.

curl -X PATCH https://your-termix-instance/users/registration-allowed \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"allowed": false}'

Check whether password-based login is enabled. No authentication required.

allowed

boolean

curl https://your-termix-instance/users/password-login-allowed

Enable or disable password-based login. Requires admin.

allowed

boolean

required

Status	Meaning
`200`	Setting updated.
`400`	`allowed` is not a boolean.
`403`	Admin only.

curl -X PATCH https://your-termix-instance/users/password-login-allowed \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"allowed": true}'

GET /users/password-reset-allowed

Check whether the self-service password reset flow is enabled. No authentication required.

allowed

boolean

curl https://your-termix-instance/users/password-reset-allowed

PATCH /users/password-reset-allowed

Enable or disable the self-service password reset flow. Requires admin.

allowed

boolean

required

Status	Meaning
`200`	Setting updated.
`400`	`allowed` is not a boolean.
`403`	Admin only.

curl -X PATCH https://your-termix-instance/users/password-reset-allowed \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"allowed": true}'

OIDC

GET /users/oidc-config

Return the public OIDC configuration (client ID, issuer URL, authorization URL, and scopes). No authentication required. Returns null when OIDC is not configured.

client_id

string

OAuth2 client identifier.

issuer_url

string

OIDC provider issuer URL.

authorization_url

string

Authorization endpoint URL.

scopes

string

Space-separated OAuth2 scopes.

curl https://your-termix-instance/users/oidc-config

GET /users/oidc-config/admin

Return the full OIDC configuration including the client secret. Requires admin.

client_id

string

client_secret

string

Decrypted client secret.

issuer_url

string

authorization_url

string

token_url

string

userinfo_url

string

identifier_path

string

name_path

string

scopes

string

allowed_users

string

curl https://your-termix-instance/users/oidc-config/admin \
  -b cookies.txt

POST /users/oidc-config

Create or update the OIDC provider configuration. Pass all fields empty/null/undefined to disable OIDC. Requires admin.

client_id

string

required

OAuth2 client ID from your identity provider.

client_secret

string

required

OAuth2 client secret. Stored encrypted.

issuer_url

string

required

OIDC issuer URL (e.g. https://accounts.example.com).

authorization_url

string

required

Authorization endpoint.

token_url

string

required

Token exchange endpoint.

userinfo_url

string

Optional userinfo endpoint override.

identifier_path

string

required

Dot-notation path to the unique identifier claim (e.g. sub).

name_path

string

required

Dot-notation path to the display name claim (e.g. name).

scopes

string

Space-separated scopes. Defaults to openid email profile.

allowed_users

string

Comma-separated list of allowed identifiers or email domains (e.g. @example.com). Leave empty to allow all.

Status	Meaning
`200`	Configuration saved or disabled.
`400`	Incomplete configuration fields.
`403`	Admin only.

curl -X POST https://your-termix-instance/users/oidc-config \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{
    "client_id": "my-client",
    "client_secret": "s3cr3t",
    "issuer_url": "https://sso.example.com",
    "authorization_url": "https://sso.example.com/authorize",
    "token_url": "https://sso.example.com/token",
    "identifier_path": "sub",
    "name_path": "name",
    "scopes": "openid email profile"
  }'

DELETE /users/oidc-config

Disable OIDC authentication by removing the stored configuration. Requires admin.

Status	Meaning
`200`	OIDC configuration removed.
`403`	Admin only.

curl -X DELETE https://your-termix-instance/users/oidc-config \
  -b cookies.txt

GET /users/oidc/authorize

Generate an OIDC authorization URL to redirect the user to the identity provider. No authentication required.

rememberMe

boolean

When "true", the resulting session cookie will last 30 days.

auth_url

string

Full authorization URL to redirect the user to.

state

string

CSRF state parameter.

nonce

string

OIDC nonce value.

Status	Meaning
`200`	Authorization URL returned.
`404`	OIDC not configured.
`500`	URL generation failed.

curl "https://your-termix-instance/users/oidc/authorize?rememberMe=true"

GET /users/oidc/callback

OIDC callback endpoint. Exchanges the authorization code for a token, creates or logs in the user, and redirects the browser back to the frontend with a jwt cookie set. Not intended to be called directly — this is the redirect URI registered with your identity provider.

code

string

required

Authorization code from the identity provider.

state

string

required

State parameter returned by GET /users/oidc/authorize.

Status	Meaning
`302`	Redirects to frontend with `jwt` cookie set, or with error param on failure.
`400`	Missing `code` or `state`, or invalid state / token exchange failure.

Two-factor authentication (TOTP)

POST /users/totp/setup

Initiate TOTP setup. Generates a base32 secret and a QR code data URL. The user must scan the QR code in their authenticator app and then call POST /users/totp/enable to activate it.

secret

string

Base32-encoded TOTP secret.

qr_code

string

Data URL of the QR code image to display to the user.

Status	Meaning
`200`	Secret and QR code returned.
`400`	TOTP is already enabled.
`404`	User not found.

curl -X POST https://your-termix-instance/users/totp/setup \
  -b cookies.txt

POST /users/totp/enable

Enable TOTP by verifying the first code from the authenticator app. Returns 8 one-time backup codes. All existing sessions and trusted devices are invalidated.

totp_code

string

required

6-digit code from the authenticator app.

message

string

Confirmation message.

backup_codes

string[]

8 single-use backup codes. Store these securely.

Status	Meaning
`200`	TOTP enabled; backup codes returned.
`400`	Code missing, or TOTP already enabled, or setup not initiated.
`401`	Invalid TOTP code.

curl -X POST https://your-termix-instance/users/totp/enable \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"totp_code": "123456"}'

POST /users/totp/disable

Disable TOTP. Requires either the current password or a valid TOTP code for verification.

password

string

Current account password (for non-OIDC users).

totp_code

string

Current 6-digit TOTP code (alternative to password).

Status	Meaning
`200`	TOTP disabled.
`400`	Neither password nor TOTP code provided, or TOTP not enabled.
`401`	Incorrect password or invalid code.

curl -X POST https://your-termix-instance/users/totp/disable \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"totp_code": "123456"}'

POST /users/totp/backup-codes

Regenerate the TOTP backup codes. The previous codes are invalidated. Requires either password or TOTP code.

password

string

Current account password.

totp_code

string

Current TOTP code.

backup_codes

string[]

8 new one-time backup codes.

Status	Meaning
`200`	New backup codes returned.
`400`	Authentication not provided, or TOTP not enabled.
`401`	Invalid credentials.

curl -X POST https://your-termix-instance/users/totp/backup-codes \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"password": "s3cr3t!"}'

Complete a login that requires TOTP verification. Submit the temporary token issued by POST /users/login along with the TOTP code. On success, sets the full session cookie.

temp_token

string

required

Short-lived JWT returned by POST /users/login when requires_totp is true.

totp_code

string

required

6-digit code from the authenticator app, or a backup code.

rememberMe

boolean

When true, the device is marked as trusted and TOTP will be skipped for future logins from it.

success

boolean

is_admin

boolean

username

string

Status	Meaning
`200`	Verified; full session cookie set.
`400`	Missing `temp_token` or `totp_code`.
`401`	Invalid temporary token or wrong TOTP code.
`429`	Rate limited.

curl -X POST https://your-termix-instance/users/totp/verify-login \
  -H "Content-Type: application/json" \
  -c cookies.txt \
  -d '{"temp_token": "<temp>", "totp_code": "654321", "rememberMe": true}'

Sessions

GET /users/sessions

List sessions. Regular users see their own sessions; admins see all sessions with associated usernames.

sessions

object[]

Show session fields

string

Session identifier.

userId

string

Owner user ID.

username

string

Owner username (admin view only).

deviceType

string

Device type string.

deviceInfo

string

User-agent derived device description.

createdAt

string

ISO 8601 creation timestamp.

expiresAt

string

ISO 8601 expiry timestamp.

lastActiveAt

string

ISO 8601 last activity timestamp.

isRevoked

boolean

Whether the session has been revoked.

isCurrentSession

boolean

Whether this is the caller’s current session.

curl https://your-termix-instance/users/sessions \
  -b cookies.txt

DELETE /users/sessions/:sessionId

Revoke a specific session by ID. Users can revoke their own sessions; admins can revoke any session.

sessionId

string

required

ID of the session to revoke.

Status	Meaning
`200`	Session revoked.
`400`	`sessionId` not provided.
`403`	Not authorized to revoke this session.
`404`	Session not found.

curl -X DELETE https://your-termix-instance/users/sessions/sess_abc123 \
  -b cookies.txt

POST /users/sessions/revoke-all

Revoke all sessions for a user. Admins can target any user by passing targetUserId.

targetUserId

string

User whose sessions should be revoked. Admins only; defaults to the calling user.

exceptCurrent

boolean

When true, the caller’s current session is preserved.

count

number

Number of sessions that were revoked.

Status	Meaning
`200`	Sessions revoked.
`403`	Not authorized to revoke sessions for another user.
`404`	User not found.

curl -X POST https://your-termix-instance/users/sessions/revoke-all \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"exceptCurrent": true}'

Admin user management

GET /users/list

Return a list of all users. Available to any authenticated user; the response is used by admin UIs.

users

object[]

Show user fields

string

User ID.

username

string

Username.

isAdmin

boolean

Admin flag.

isOidc

boolean

OIDC flag.

curl https://your-termix-instance/users/list \
  -b cookies.txt

POST /users/make-admin

Grant admin privileges to a user. Requires admin.

userId

string

Target user ID (preferred).

username

string

Target username (fallback if userId is not provided).

Status	Meaning
`200`	User promoted to admin.
`400`	`userId` / `username` missing, or user already an admin.
`403`	Admin only.
`404`	User not found.

curl -X POST https://your-termix-instance/users/make-admin \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"username": "bob"}'

POST /users/remove-admin

Revoke admin privileges from a user. Requires admin. Cannot revoke your own admin status.

userId

string

Target user ID.

username

string

Target username (fallback).

Status	Meaning
`200`	Admin status removed.
`400`	Cannot remove own admin status, or user is not an admin.
`403`	Admin only.
`404`	User not found.

curl -X POST https://your-termix-instance/users/remove-admin \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"username": "bob"}'

DELETE /users/delete-account

Delete the authenticated user’s own account. Requires password confirmation. OIDC-only accounts cannot use this endpoint.

password

string

required

Current password for verification.

Status	Meaning
`200`	Account deleted.
`400`	Password missing.
`401`	Incorrect password.
`403`	OIDC-only account, or cannot delete the last admin.
`404`	User not found.

curl -X DELETE https://your-termix-instance/users/delete-account \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"password": "s3cr3t!"}'

DELETE /users/delete-user

Admin-only endpoint to delete any user and all their associated data (hosts, credentials, sessions, etc.).

username

string

required

Username of the account to delete.

Status	Meaning
`200`	User deleted.
`400`	Username missing, or cannot delete yourself.
`403`	Admin only, or cannot delete the last admin.
`404`	User not found.

curl -X DELETE https://your-termix-instance/users/delete-user \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"username": "bob"}'

POST /users/link-oidc-to-password

Merge an OIDC-only account into an existing password-based account, enabling dual authentication. The OIDC account is deleted after the merge. Requires admin.

oidcUserId

string

required

ID of the OIDC-only user to merge.

targetUsername

string

required

Username of the password-based account to receive OIDC authentication.

Status	Meaning
`200`	Accounts linked; OIDC user deleted.
`400`	Invalid source/target combination.
`403`	Admin only.
`404`	User not found.

curl -X POST https://your-termix-instance/users/link-oidc-to-password \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"oidcUserId": "uid_oidc_123", "targetUsername": "alice"}'

POST /users/unlink-oidc-from-password

Remove OIDC authentication from a dual-auth account, leaving only password login. Requires admin. The user must have a password set; this call will fail if removing OIDC would leave the user with no login method.

userId

string

required

ID of the user to modify.

Status	Meaning
`200`	OIDC removed.
`400`	User is not OIDC, or has no password set.
`403`	Admin only.
`404`	User not found.

curl -X POST https://your-termix-instance/users/unlink-oidc-from-password \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"userId": "uid_123"}'

System settings

GET /users/guacamole-settings

Return Guacamole (RDP/VNC proxy) settings.

enabled

boolean

Whether the Guacamole daemon is enabled.

url

string

host:port string for the guacd daemon (default guacd:4822).

curl https://your-termix-instance/users/guacamole-settings \
  -b cookies.txt

PATCH /users/guacamole-settings

Update Guacamole settings. Requires admin. Changing the URL triggers a guacd server restart.

enabled

boolean

Enable or disable the Guacamole daemon.

url

string

New host:port for guacd (e.g. guacd:4822).

Status	Meaning
`200`	Settings updated.
`403`	Admin only.

curl -X PATCH https://your-termix-instance/users/guacamole-settings \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"enabled": true, "url": "guacd:4822"}'

GET /users/log-level

Return the current server log verbosity level.

level

string

One of debug, info, warn, error.

curl https://your-termix-instance/users/log-level \
  -b cookies.txt

PATCH /users/log-level

Set the server log verbosity. Requires admin.

level

string

required

One of debug, info, warn, error.

Status	Meaning
`200`	Level updated.
`400`	Invalid level value.
`403`	Admin only.

curl -X PATCH https://your-termix-instance/users/log-level \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"level": "debug"}'

GET /users/session-timeout

Return the configured session timeout in hours.

timeoutHours

number

Session expiry in hours (default 24).

curl https://your-termix-instance/users/session-timeout \
  -b cookies.txt

PATCH /users/session-timeout

Set the session timeout. Requires admin. Valid range: 1–720 hours.

timeoutHours

number

required

Session expiry in hours (1–720).

Status	Meaning
`200`	Timeout updated.
`400`	Value out of range.
`403`	Admin only.

curl -X PATCH https://your-termix-instance/users/session-timeout \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"timeoutHours": 48}'

API keys

API keys let you authenticate programmatically without a browser session. They are admin-managed: only admins can create or delete them. Each key is scoped to a specific user and acts on that user’s behalf. The full token value (tmx_...) is shown only once at creation time.

Store the token securely immediately after creation. It cannot be retrieved again.

POST /users/api-keys

Create a new API key for a target user. Requires admin.

name

string

required

Human-readable label for the key.

userId

string

required

ID of the user this key acts on behalf of.

expiresAt

string

ISO 8601 datetime for key expiry. Omit for a non-expiring key.

string

Key ID.

name

string

Key name.

userId

string

User this key is scoped to.

username

string

Username of the scoped user.

tokenPrefix

string

First 12 characters of the token (for identification).

token

string

Full API token — shown only once.

createdAt

string

ISO 8601 creation timestamp.

expiresAt

string

ISO 8601 expiry timestamp, or null.

Status	Meaning
`201`	Key created; token returned once.
`400`	Missing `name` / `userId`, or invalid `expiresAt`.
`403`	Admin only.
`404`	Target user not found.

curl -X POST https://your-termix-instance/users/api-keys \
  -H "Content-Type: application/json" \
  -b cookies.txt \
  -d '{"name": "CI pipeline", "userId": "uid_abc", "expiresAt": "2026-12-31T00:00:00Z"}'

GET /users/api-keys

List all API keys. Requires admin. Token hashes are never returned.

apiKeys

object[]

Show key fields

string

Key ID.

name

string

Key label.

userId

string

Scoped user ID.

username

string

Scoped username.

tokenPrefix

string

First 12 chars of the token.

createdAt

string

ISO 8601 creation time.

expiresAt

string

ISO 8601 expiry time or null.

lastUsedAt

string

ISO 8601 last use time or null.

isActive

boolean

Whether the key is active.

curl https://your-termix-instance/users/api-keys \
  -b cookies.txt

DELETE /users/api-keys/:keyId

Permanently delete an API key. Requires admin.

keyId

string

required

The ID of the API key to delete.

Status	Meaning
`200`	Key deleted.
`403`	Admin only.
`404`	Key not found.

curl -X DELETE https://your-termix-instance/users/api-keys/key_abc123 \
  -b cookies.txt

Overview

Endpoints

Documentation Index

​Registration & login

​POST /users/create

​POST /users/login

​POST /users/logout

​Current user

​GET /users/me

​GET /users/setup-required

​GET /users/count

​GET /users/db-health

​GET /users/data-status

​POST /users/unlock-data

​Password management

​POST /users/change-password

​POST /users/initiate-reset

​POST /users/verify-reset-code

​POST /users/complete-reset

​GET /users/registration-allowed

​PATCH /users/registration-allowed

​GET /users/password-login-allowed

​PATCH /users/password-login-allowed

​GET /users/password-reset-allowed

​PATCH /users/password-reset-allowed

​OIDC

​GET /users/oidc-config

​GET /users/oidc-config/admin

​POST /users/oidc-config

​DELETE /users/oidc-config

​GET /users/oidc/authorize

​GET /users/oidc/callback

​Two-factor authentication (TOTP)

​POST /users/totp/setup

​POST /users/totp/enable

​POST /users/totp/disable

​POST /users/totp/backup-codes

​POST /users/totp/verify-login

​Sessions

​GET /users/sessions

​DELETE /users/sessions/:sessionId

​POST /users/sessions/revoke-all

​Admin user management

​GET /users/list

​POST /users/make-admin

​POST /users/remove-admin

​DELETE /users/delete-account

​DELETE /users/delete-user

​POST /users/link-oidc-to-password

​POST /users/unlink-oidc-from-password

​System settings

​GET /users/guacamole-settings

​PATCH /users/guacamole-settings

​GET /users/log-level

​PATCH /users/log-level

​GET /users/session-timeout

​PATCH /users/session-timeout

​API keys

​POST /users/api-keys

​GET /users/api-keys

​DELETE /users/api-keys/:keyId

Build docs developers (and LLMs) love

Registration & login

POST /users/create

POST /users/login

POST /users/logout

Current user

GET /users/me

GET /users/setup-required

GET /users/count

GET /users/db-health

GET /users/data-status

POST /users/unlock-data

Password management

POST /users/change-password

POST /users/initiate-reset

POST /users/verify-reset-code

POST /users/complete-reset

GET /users/registration-allowed

PATCH /users/registration-allowed

GET /users/password-login-allowed

PATCH /users/password-login-allowed

GET /users/password-reset-allowed

PATCH /users/password-reset-allowed

OIDC

GET /users/oidc-config

GET /users/oidc-config/admin

POST /users/oidc-config

DELETE /users/oidc-config

GET /users/oidc/authorize

GET /users/oidc/callback

Two-factor authentication (TOTP)

POST /users/totp/setup

POST /users/totp/enable

POST /users/totp/disable

POST /users/totp/backup-codes

POST /users/totp/verify-login

Sessions

GET /users/sessions

DELETE /users/sessions/:sessionId

POST /users/sessions/revoke-all

Admin user management

GET /users/list

POST /users/make-admin

POST /users/remove-admin

DELETE /users/delete-account

DELETE /users/delete-user

POST /users/link-oidc-to-password

POST /users/unlink-oidc-from-password

System settings

GET /users/guacamole-settings

PATCH /users/guacamole-settings

GET /users/log-level

PATCH /users/log-level

GET /users/session-timeout

PATCH /users/session-timeout

API keys

POST /users/api-keys

GET /users/api-keys

DELETE /users/api-keys/:keyId