User management in PermisosQR is handled through theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/edgar2420/QrPermision/llms.txt
Use this file to discover all available pages before exploring further.
/api/users endpoints. Super Admins have full control: they can create new accounts, update profile details and roles, reset any user’s password without needing the old one, toggle account activation status, and soft-delete accounts. Admin Operators have a single self-service capability: changing their own password via the authenticated PATCH /api/users/:id/password endpoint. All user routes require a valid JWT in the Authorization: Bearer <token> header.
First-Time Setup
Before any users exist in the database, usePOST /api/auth/setup to bootstrap the first Super Admin account. This endpoint requires no authentication and is specifically designed to initialize a fresh installation.
Create a User
Route:POST /api/users — Super Admin only.
All four fields are required. The service layer checks for duplicate emails and returns HTTP 409 if the address is already registered. Passwords are hashed with bcrypt (cost factor 10) before storage — the plain-text password is never persisted.
Full display name of the new user (max 100 characters).
Unique login email address. Returns
409 Conflict if already registered.Plain-text password. Stored as a bcrypt hash (cost factor 10).
Role to assign. Must be exactly
super_admin or admin_operator.Update a User
Route:PUT /api/users/:id — Super Admin only.
You can update any combination of name, email, role, and is_active in a single request. Only the fields you include are changed — omitted fields remain untouched. Returns HTTP 400 if no valid fields are provided.
is_active to false:
Change Own Password
Route:PATCH /api/users/:id/password — Any authenticated user.
Operators use this to change their own password. Both the current and new password are required. The service verifies currentPassword against the stored bcrypt hash before applying the change.
400 with "Contraseña actual incorrecta" if currentPassword does not match.
Reset a User’s Password
Route:PATCH /api/users/:id/reset-password — Super Admin only.
Allows a Super Admin to set a new password for any account without needing the current password. Useful when an operator is locked out. The new password must be at least 6 characters.
Delete a User
Route:DELETE /api/users/:id — Super Admin only.
Soft-deletes the user by setting is_active to false. The user record remains in the database and all permission history they created is preserved. The account can be reactivated at any time via PUT /api/users/:id with { "is_active": true }.
List and Fetch Users
GET /api/users — Super Admin only. Returns all user accounts ordered by id ascending. Passwords (password_hash) are never included in any response.
GET /api/users/:id — Any authenticated user. Returns a single user record by numeric ID. Useful for profile lookups and self-inspection.