Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/akibanks/tienda_musica_web/llms.txt

Use this file to discover all available pages before exploring further.

The admin user management endpoints allow administrators to view all registered users, change their roles, and permanently delete accounts. All three endpoints require a valid JWT from an account with the admin role — requests from cliente or vendedor accounts are rejected. The VinylVibes admin panel (admin.html) exposes these endpoints through a searchable user table with inline role selectors and deletion controls.

GET /admin/usuarios

Authentication: Required — admin JWT Returns all registered users across all roles. This is the data source for the admin panel’s user table and the stats card showing total user count.

cURL Example

curl https://api-tienda-vinilos.onrender.com/admin/usuarios \
  -H 'Authorization: Bearer <admin_token>'

Response

Returns an array of user objects.
id_usuario
integer
Unique user ID.
nombre
string
Username chosen at registration.
correo
string | null
Email address, or null if not provided.
rol
string
The user’s current role. One of: cliente, vendedor, or admin.
created_at
string
ISO 8601 timestamp of account creation.

Response Example

[
  {
    "id_usuario": 1,
    "nombre": "admin_chocolate",
    "correo": null,
    "rol": "admin",
    "created_at": "2025-01-10T09:00:00Z"
  }
]

PUT /admin/usuarios/{id}/rol

Authentication: Required — admin JWT Changes the role of a specific user. The new role takes effect immediately and is reflected in the user’s access permissions on their next authenticated request.

Path Parameter

ParameterTypeDescription
idintegerTarget user’s ID

Request Body

rol
string
required
The new role to assign. Must be one of: cliente, vendedor, admin.

cURL Example

curl -X PUT https://api-tienda-vinilos.onrender.com/admin/usuarios/5/rol \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer <admin_token>' \
  -d '{"rol": "vendedor"}'

Success Response (200)

{ "message": "Rol actualizado" }
An admin cannot remove their own admin role. The frontend decodes the JWT to compare the current user’s ID against the target user’s ID before calling this endpoint — if they match and the new role is not admin, the request is blocked client-side and the user table is refreshed to revert the selector. The backend enforces the same rule server-side.

How the Frontend Enforces the Self-Demotion Guard

The following code is taken directly from admin.js (cambiarRol function). The current user’s ID is parsed from the JWT payload before the request is made: 
const miId = JSON.parse(atob(localStorage.getItem('vv_token').split('.')[1])).id;
if (id === miId && nuevoRol !== 'admin') {
    mostrarToast('No puedes quitarte el rol de admin.', 'error');
    await cargarUsuarios();
    return;
}

DELETE /admin/usuarios/{id}

Authentication: Required — admin JWT Permanently deletes a user account from the system. This action cannot be undone.

Path Parameter

ParameterTypeDescription
idintegerTarget user’s ID

cURL Example

curl -X DELETE https://api-tienda-vinilos.onrender.com/admin/usuarios/5 \
  -H 'Authorization: Bearer <admin_token>'

Success Response (200)

{ "message": "Usuario eliminado" }
User deletion is permanent and cannot be undone. The admin panel frontend replaces the table row’s action controls with inline “Confirm” and “Cancel” buttons before calling this endpoint, requiring an explicit second click to proceed.

Build docs developers (and LLMs) love

Get started for freeTalk to us