All endpoints on this page require a valid Bearer token (Authorization: Bearer <token>).
The profile API lets users update their display information, manage their avatar image, and change their password. Avatar images are stored in AWS S3 using the same pre-signed URL pattern as post media.
Get a profile upload URL POST /api/profile/upload-url
Returns a pre-signed S3 URL for uploading a profile avatar image. Upload the file directly to S3 using the returned URL, then call Update avatar with the resulting S3 URL.
Request body MIME type of the image to upload. Accepted values: image/png, image/jpeg, image/jpg, image/webp.
Response Pre-signed S3 URL. Send a PUT request with the image body to this URL within the expiry window.
Permanent public URL of the uploaded object. Pass this value to PUT /api/profile/update-avatar.
Echo of the requested content type.
Example curl -X POST http://localhost:5000/api/profile/upload-url \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{"contentType": "image/jpeg"}'
{ "success" : true , "message" : "Presigned URL generated" , "data" : { "uploadUrl" : "https://hayon-media.s3.amazonaws.com/profiles/user123/..." , "s3Url" : "https://hayon-media.s3.amazonaws.com/profiles/user123/..." , "contentType" : "image/jpeg" } }
Update avatar PUT /api/profile/update-avatar
Sets the user’s avatar to a previously uploaded S3 image URL. The old avatar is automatically deleted from S3 if it was stored in the same bucket.
Request body Full S3 URL of the uploaded avatar image. Must be a URL within the configured AWS_S3_BUCKET_NAME. Hayon validates this to prevent setting arbitrary external URLs as avatars.
Example curl -X PUT http://localhost:5000/api/profile/update-avatar \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{"imageUrl": "https://hayon-media.s3.amazonaws.com/profiles/user123/avatar.jpeg"}'
{ "success" : true , "message" : "Profile image updated successfully" , "data" : { "imageUrl" : "https://hayon-media.s3.amazonaws.com/profiles/user123/avatar.jpeg" } }
Delete avatar DELETE /api/profile/delete-avatar
Removes the user’s current avatar from S3 and replaces it with a randomly generated Dicebear identicon .
No request body is required.
Example curl -X DELETE http://localhost:5000/api/profile/delete-avatar \ -H "Authorization: Bearer <token>"
{ "success" : true , "message" : "avatart deleted successfully" }
Change timezone PUT /api/profile/change-timezone
Updates the user’s default timezone. The timezone value is validated with the same timezoneSchema used throughout the platform (from the shared @hayon/schemas package).
Request body A valid IANA timezone string. Examples: UTC, America/New_York, Asia/Kolkata, Europe/London.
Example curl -X PUT http://localhost:5000/api/profile/change-timezone \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{"timezone": "America/New_York"}'
{ "success" : true , "message" : "Timezone updated successfully" }
Change name PATCH /api/profile/change-name
Updates the user’s display name.
Request body New display name for the user.
Example curl -X PATCH http://localhost:5000/api/profile/change-name \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{"name": "Alice Smith"}'
{ "success" : true , "message" : "Name updated successfully" }
Change password PATCH /api/profile/change-password
Changes the user’s password. Only available for accounts created with email/password (auth.provider === "email"). Google OAuth accounts cannot use this endpoint.
Request body The user’s current password. Used to verify identity before the change is applied.
The new password. Must satisfy the validation rules in changePasswordSchema.
Error cases Status Message Cause 400"Invalid password data"Validation failed on request body 400"Password change not supported for this account"Account uses Google OAuth, not email/password 400"Incorrect current password"currentPassword does not match stored hash
Example curl -X PATCH http://localhost:5000/api/profile/change-password \ -H "Authorization: Bearer <token>" \ -H "Content-Type: application/json" \ -d '{ "currentPassword": "OldPassword123!", "newPassword": "NewSecurePass456!" }'
{ "success" : true , "message" : "Password changed successfully" }
{ "success" : false , "message" : "Password change not supported for this account" , "statusCode" : 400 }
