The Admin App API is the control plane for the entire Eme2App installation. Unlike the per-company Users API — which operates inside a single tenant — every endpoint here works across all companies simultaneously. Through these routes a superadmin can create and delete companies, provision users globally, manage which users belong to which companies, configure the platform’s outbound email infrastructure, and upload the AEAT digital certificate used for tax-authority integrations. Because these operations cross tenant boundaries they are not subject to theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/eme2dev/Eme2App/llms.txt
Use this file to discover all available pages before exploring further.
empresa_id scope that governs all other API calls.
Authentication
superadmin token is issued by the standard login endpoint. Superadmin tokens do not carry an empresa_id claim — that claim is intentionally absent, because superadmin operations are cross-company by design.
Companies
Manage theempresa records that represent individual customer tenants. Creating a company automatically seeds the platform’s menu items (menu_items) for that tenant. Optionally, the product catalogue can be seeded by copying it from an existing company.
GET /api/adminapp/empresas
List all companies registered in the platform.200 OK
"exito" on success.Array of all company objects in the platform.
GET /api/adminapp/empresas/:id
Retrieve a single company by its UUID.Path parameters
UUID of the company.
200 OK
404 Not Found
POST /api/adminapp/empresas
Create a new company. After creation, the platform automatically seeds the default menu items for the new tenant and assigns the calling superadmin to it viausuario_empresas. Pass sembrar_catalogo: true together with an empresa_origen UUID to copy the product/service catalogue from an existing company.
Request body
Legal name of the company. Maximum 255 characters.
Trade name or brand name. Maximum 255 characters. Optional.
Contact email address for the company. Must be a valid email format when provided.
Spanish tax identification number (NIF/CIF). Maximum 20 characters. Must be unique across the platform when provided.
When
true, copies articles, IVA types and other catalogue records from the company specified in empresa_origen. Requires empresa_origen to be set.UUID of the source company to copy the catalogue from. Required when
sembrar_catalogo is true.201 Created
PUT /api/adminapp/empresas/:id
Update an existing company’s core fields. The same validation rules asPOST apply to each field.
Path parameters
UUID of the company to update.
Request body
Updated legal name. Maximum 255 characters.
Updated trade name. Maximum 255 characters.
Updated contact email. Must be valid format when provided.
Updated NIF/CIF. Maximum 20 characters.
200 OK
PATCH /api/adminapp/empresas/:id/toggle-estado
Toggle a company between active (estado: true) and inactive (estado: false). Inactive companies cannot be used by their assigned users for normal operations.
Path parameters
UUID of the company.
200 OK
The
mensaje reflects the new state: "Empresa activada correctamente" or "Empresa desactivada correctamente".DELETE /api/adminapp/empresas/:id
Permanently delete a company and all of its associated data. This is a destructive hard delete that cascades through invoices, budgets, clients, articles, and all other records belonging to the tenant.Path parameters
UUID of the company to delete.
200 OK
Users (cross-company)
These endpoints manage user accounts at the platform level, independent of any single company. A user created here exists globally; use the user-company assignment endpoints to grant them access to one or more companies.GET /api/adminapp/usuarios
List all users across the entire platform, regardless of company.200 OK
POST /api/adminapp/usuarios
Create a new user at the platform level and optionally assign them to a company in a single request. If a user with the given email already exists, the creation step is skipped and the user is assigned to the specified company ifempresa_id is provided and the assignment does not already exist.
Request body
Valid email address. If this email is already registered, no new user is created — instead the existing user is assigned to
empresa_id.Plain-text password, minimum 6 characters. Stored as a bcrypt hash.
Display name. Maximum 255 characters.
Role for this user. Accepted values:
"admin" or "user". Superadmin accounts cannot be created through this endpoint.UUID of the company to assign the new user to at creation time. Optional — when provided the user is automatically linked to the specified company via
usuario_empresas. If omitted, the user is created without any company assignment; use POST /api/adminapp/usuario-empresas afterwards to link them.201 Created
The
mensaje varies depending on what happened: "Usuario creado y asignado a la empresa correctamente", "Usuario existente asignado a la empresa correctamente", or "Usuario creado correctamente".PUT /api/adminapp/usuarios/:id
Update a user’s profile fields at the platform level. If a new email is provided it must not already be in use by another account.Path parameters
UUID of the user to update.
Request body
All fields are optional.New email address. Must be valid and unique.
Updated display name. Maximum 255 characters.
Updated role. Accepted values:
"admin" or "user".New password. Minimum 6 characters.
200 OK
PATCH /api/adminapp/usuarios/:id/toggle-estado
Toggle a user’s active state across the entire platform. A deactivated user cannot log in to any of their assigned companies.Path parameters
UUID of the user.
200 OK
User-Company Assignments
Theusuario_empresas table is the join between users and companies. A single user can be assigned to multiple companies; toggling between them at login issues a new JWT with the selected empresa_id. These endpoints let you manage those assignments independently of user creation.
GET /api/adminapp/usuario-empresas
List all user-company assignment records across the platform.200 OK
UUID of the assignment record. Use this value with
DELETE /api/adminapp/usuario-empresas/:id.UUID of the user.
UUID of the company.
POST /api/adminapp/usuario-empresas
Assign an existing user to an existing company. The combination ofusuario_id + empresa_id must be unique; duplicate assignments return 400 Bad Request.
Request body
UUID of the user to assign.
UUID of the company to assign the user to.
201 Created
400 Bad Request — duplicate assignment:
DELETE /api/adminapp/usuario-empresas/:id
Remove a user-company assignment by its assignment record UUID. The user and company themselves are not deleted; only the link between them is removed. After this, the user will not be able to log in to that company.Path parameters
UUID of the
usuario_empresas assignment record (not the user or company UUID).200 OK
System Configuration
Platform-wide email (SMTP) settings used when the system sends notifications on behalf of Eme2App itself — for example, password-reset emails. These settings are separate from the per-company SMTP configuration stored on eachempresa record.
GET /api/adminapp/config-sistema
Retrieve the current system-level email configuration.200 OK
SMTP provider preset. Accepted values:
"gmail", "outlook", "brevo", "custom".SMTP server hostname. Used when
smtp_provider is "custom".SMTP port number (1–65535).
true = use TLS (port 465); false = use STARTTLS (port 587).SMTP authentication username (email format).
Sender display string used in the
From: header.PEM-encoded content of the app-level AEAT certificate, or
null if none is loaded.PUT /api/adminapp/config-sistema
Save updated system email configuration. Only the fields you include are updated.Request body
SMTP provider preset. Accepted values:
"gmail", "outlook", "brevo", "custom", or "" (empty string to clear).SMTP server hostname for custom provider configurations.
SMTP port. Must be between 1 and 65535.
Use TLS (
true) or STARTTLS (false).SMTP username. Must be a valid email format when provided.
SMTP password or app password. Stored encrypted at rest.
Sender display string, e.g.
"Eme2App <noreply@eme2app.com>".200 OK
POST /api/adminapp/config-sistema/probar
Send a test email using the currently saved system configuration. Use this to verify SMTP credentials before relying on them for production traffic.Request body
Destination email address for the test message. Must be a valid email format.
200 OK
400 Bad Request — SMTP delivery failure:
AEAT App-Level Certificate
Eme2App integrates with the Spanish Tax Agency (AEAT) for digital invoice submission and NIF validation. The app-level certificate acts as a fallback when a company has not uploaded its own certificate. The PFX/P12 file is converted to PEM format on the server and stored encrypted in the system configuration record.POST /api/adminapp/certificado-aeat
Upload an app-level AEAT certificate in PFX or P12 format. The file is sent asmultipart/form-data. Maximum file size is 5 MB.
Request body (multipart/form-data)
| Field | Type | Required | Description |
|---|---|---|---|
certificado | File | Yes | PFX or P12 certificate file. Must have .pfx or .p12 extension. |
passphrase | String | No | Password protecting the PFX/P12 file. Leave empty if the file has no password. |
200 OK
400 Bad Request — no file, wrong extension, or bad passphrase:
DELETE /api/adminapp/certificado-aeat
Remove the app-level AEAT certificate. Both the PEM content and the passphrase are cleared from the system configuration. After this, AEAT features that rely on a certificate will fail unless individual companies have their own certificates uploaded.200 OK
Fiscal Advisory Applications
Advisory apps (aplicaciones_asesoria) represent third-party accounting or fiscal management software integrations. Each app record includes an export key that acts as a shared secret for data-exchange operations between Eme2App and the advisory platform.
GET /api/adminapp/aplicaciones-asesoria
List all configured fiscal advisory application integrations.200 OK
UUID of the advisory app record.
Display name of the advisory application.
Export key (shared secret) used when exchanging data with this advisory app. Maximum 20 characters.
POST /api/adminapp/aplicaciones-asesoria
Register a new fiscal advisory application.Request body
Display name for the advisory application. Must not be empty.
Export key / shared secret. Must not be empty. Maximum 20 characters.
201 Created
PUT /api/adminapp/aplicaciones-asesoria/:id
Update an existing advisory application’s name or export key.Path parameters
UUID of the advisory app record to update.
Request body
Updated display name.
Updated export key. Maximum 20 characters.
200 OK
DELETE /api/adminapp/aplicaciones-asesoria/:id
Delete an advisory application integration record.Path parameters
UUID of the advisory app record to delete.
200 OK
Error response shape
All error responses follow the standard envelope:express-validator include an errores array:
| HTTP status | Scenario |
|---|---|
400 | Validation failure, duplicate record, or bad input |
401 | Missing or expired Bearer token |
403 | Valid token but role is not superadmin |
404 | Requested company or user not found |
500 | Unexpected server-side error |