The Users API lets administrators manage the people who have access to their company workspace in Eme2App. Every request operates within the scope of a single empresa — the company encoded in the caller’s JWT — so one admin cannot accidentally read or modify users belonging to a different tenant. Creating a user here automatically associates them to the caller’s company through theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/eme2dev/Eme2App/llms.txt
Use this file to discover all available pages before exploring further.
usuario_empresas join table. If you need to provision users across multiple companies or perform cross-tenant operations, use the Admin App API instead, which exposes the equivalent endpoints under /api/adminapp/usuarios and is restricted to the superadmin role.
All endpoints on this page require a valid Bearer token issued after login. The token must carry the
admin role — except PUT /api/usuarios/:id, where a non-admin user may update their own record (but cannot change their rol).Authentication
Every request must include the JWT in theAuthorization header:
empresa_id and rol claims. A request that omits the header, presents an expired token, or carries insufficient privileges receives one of the following errors:
| HTTP status | estado | Meaning |
|---|---|---|
401 | error | Token missing, expired, or invalid |
403 | error | Valid token but insufficient role |
Endpoints
GET /api/usuarios
List all users belonging to the authenticated admin’s company. Required role:admin
200 OK
"exito" on success.Array of user objects scoped to the caller’s
empresa_id.UUID (CHAR 36) uniquely identifying the user.
The user’s login email address. Globally unique across all companies.
Display name of the user.
Role of the user within this company:
"admin" or "user".true = active; false = deactivated. Deactivated users cannot log in.Total number of users returned.
POST /api/usuarios
Create a new user and assign them to the authenticated admin’s company. If the email address is already registered in the system this endpoint returns400 Bad Request — use the Admin App API to assign an existing cross-company user to a second company.
Required role: admin
Request body
Valid email address for the new user. Must be globally unique across the entire platform.
Plain-text password. Minimum 6 characters. Stored as a bcrypt hash (cost 10) — never in plain text.
Full display name of the user. Must not be empty.
Role within this company. Accepted values:
"admin" or "user". An "admin" can manage other users and access all configuration; a "user" has standard read/write access to business data.201 Created
400 Bad Request — validation failure or email already exists:
"exito" on success.Human-readable confirmation:
"Usuario creado exitosamente".The newly created user object, matching the shape returned by
GET /api/usuarios.PUT /api/usuarios/:id
Update an existing user. Admins can update any user in their company. A non-admin user may only update their own record and cannot change therol field.
Required role: admin (to update any user or change rol). Authenticated user of any role (to update their own nombre or password).
Path parameters
The UUID of the user to update.
Request body
All fields are optional. Only send the fields you want to change.Updated display name. Must not be blank if provided.
New password. Minimum 6 characters. Will be re-hashed before storage.
New role. Accepted values:
"admin" or "user". Only an admin caller can change this field. A non-admin user updating their own record must omit this field.Activate (
true) or deactivate (false) the user account. Alias of estado. Admin only.Activate (
true) or deactivate (false) the user account. Alias of activo. Both fields are accepted; if both are provided, estado takes precedence. Admin only.200 OK
403 Forbidden — non-admin attempting to update another user:
DELETE /api/usuarios/:id
Deactivate a user, revoking their ability to log in. This is a soft delete — the user record is preserved in the database. Required role:admin
Path parameters
The UUID of the user to delete/deactivate.
200 OK
400 Bad Request
Error response shape
All error responses across this API follow the same envelope:express-validator include an errores array instead of (or in addition to) mensaje:
User object reference
Fields returned indatos for a single user record, derived from the usuarios Prisma model:
| Field | Type | Description |
|---|---|---|
id | string (CHAR 36) | Primary key UUID |
email | string | Unique email address |
nombre | string | Display name (max 255 chars) |
rol | string | "admin" or "user" |
estado | boolean | Account active state |
empresa_id | string (UUID) | Company the user was created under |
created_by | string | null | ID of the user who created this record |
updated_by | string | null | ID of the user who last updated this record |
created_at | string (ISO 8601) | Creation timestamp |
updated_at | string (ISO 8601) | Last update timestamp |
The
password field is never returned in any API response. Passwords are stored as bcrypt hashes and are not readable through the API.