Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/azahel79/Spartans-gym/llms.txt

Use this file to discover all available pages before exploring further.

The Users API manages the staff accounts that can authenticate with the Spartans Gym backend. It supports two roles — admin and recepcionista — and provides full CRUD operations so gym owners can onboard new front-desk staff, promote a recepcionista to admin, or revoke access by deleting an account. All passwords are hashed with bcrypt (10 rounds) before storage and are never returned in any response.
Every endpoint on this page requires an admin Bearer token. A recepcionista who calls any of these routes will receive HTTP 403 Forbidden. Store admin credentials carefully and do not expose them to client-side code.

User Object

id
integer
required
Auto-incremented primary key.
email
string
required
Unique staff email address. Used as the login identifier.
role
"admin" | "recepcionista"
required
Access level. Defaults to "recepcionista" when not specified at creation.
createdAt
ISO 8601 datetime
required
UTC timestamp of account creation.
updatedAt
ISO 8601 datetime
UTC timestamp of the last update. Returned by PATCH responses; omitted from GET / list items due to the Prisma select projection used.
The password field is never included in any API response. The database stores a bcrypt hash, but it is always excluded via Prisma’s select clause.

GET /api/users

Returns all staff accounts ordered by createdAt descending. Auth: Authorization: Bearer <token>admin only

Success Response — 200

{
  "success": true,
  "data": [
    {
      "id": 3,
      "email": "recepcion@spartansgym.com",
      "role": "recepcionista",
      "createdAt": "2024-05-10T09:00:00.000Z"
    },
    {
      "id": 1,
      "email": "admin@spartansgym.com",
      "role": "admin",
      "createdAt": "2024-01-01T00:00:00.000Z"
    }
  ]
}

Error Responses

StatusMeaning
401Missing or invalid Bearer token
403Authenticated user is not an admin
500Internal server error

POST /api/users

Create a new staff account. The password is hashed with bcrypt before being written to the database. Auth: Authorization: Bearer <token>admin only

Request Body

email
string
required
Email address for the new account. Must be unique across all users — the server returns 400 if a user with this email already exists.
password
string
required
Plain-text password. Hashed server-side before storage; never echoed back.
role
"admin" | "recepcionista"
Role to assign. Defaults to "recepcionista" if omitted.

Success Response — 201

{
  "success": true,
  "data": {
    "id": 4,
    "email": "nueva.recepcion@spartansgym.com",
    "role": "recepcionista",
    "createdAt": "2024-06-15T18:00:00.000Z"
  }
}

Error Responses

StatusBody errorMeaning
400"Email y contraseña son requeridos"email or password missing from request body
400"Ya existe un usuario con ese email"Duplicate email
401Missing or invalid Bearer token
403Authenticated user is not an admin
500Internal server error

Example

curl -X POST https://api.spartansgym.com/api/users \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json" \
  -d '{
    "email": "nueva.recepcion@spartansgym.com",
    "password": "SecurePass123!",
    "role": "recepcionista"
  }'

PATCH /api/users/:id/role

Update the role of an existing staff account. Only "admin" and "recepcionista" are accepted values; any other string returns 400. Auth: Authorization: Bearer <token>admin only

Path Parameters

id
integer
required
The integer id of the user whose role you want to change.

Request Body

role
"admin" | "recepcionista"
required
The new role to assign.

Success Response — 200

{
  "success": true,
  "data": {
    "id": 3,
    "email": "recepcion@spartansgym.com",
    "role": "admin",
    "createdAt": "2024-05-10T09:00:00.000Z"
  }
}

Error Responses

StatusBody errorMeaning
400"Rol inválido"role is missing or not one of the accepted enum values
401Missing or invalid Bearer token
403Authenticated user is not an admin
500User not found or database error

Example

curl -X PATCH https://api.spartansgym.com/api/users/3/role \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json" \
  -d '{ "role": "admin" }'

DELETE /api/users/:id

Permanently delete a staff account. This action is irreversible. Auth: Authorization: Bearer <token>admin only

Path Parameters

id
integer
required
The integer id of the user to delete.

Success Response — 200

{
  "success": true,
  "message": "Usuario eliminado correctamente"
}

Error Responses

StatusBody errorMeaning
401Missing or invalid Bearer token
403Authenticated user is not an admin
404"Usuario no encontrado"No user exists for the given id
500Internal server error
Deleting a user does not delete or anonymise the transactions they created. Existing transaction records retain their userId foreign key, which may become a dangling reference depending on your database cascade configuration.

Build docs developers (and LLMs) love