Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/flagForgeCTF/flagForge/llms.txt

Use this file to discover all available pages before exploring further.

The admin API provides endpoints for monitoring platform health, managing registered users, and performing privileged operations. Every endpoint on this page requires your account to have the Admin role. Non-admin requests receive a 401 or 403 response. Pass your admin session cookie with every request.
All endpoints on this page are restricted to Admin accounts. Do not expose admin session tokens in client-side code or public repositories.

GET /api/admin/dashboard-stats

Return platform-wide statistics in a single request. Useful for populating an admin dashboard.

Response fields

success
boolean
true on success.
stats
object
Platform statistics snapshot.

Example

curl "https://flagforgectf.com/api/admin/dashboard-stats" \
  -H "Cookie: next-auth.session-token=<admin-session>"

{
  "success": true,
  "stats": {
    "totalChallenges": 48,
    "activeChallenges": 45,
    "totalUsers": 312,
    "totalBadgeTemplates": 10,
    "activeBadgeTemplates": 8,
    "recentActivity": 17,
    "newUsersThisWeek": 24,
    "topCategories": [
      { "_id": "Web", "count": 14 },
      { "_id": "Crypto", "count": 10 },
      { "_id": "Forensics", "count": 8 },
      { "_id": "Pwn", "count": 7 },
      { "_id": "Reversing", "count": 6 }
    ],
    "totalArchivedChallenges": 3,
    "lastUpdated": "2024-06-15T09:45:00.000Z"
  }
}

Error responses

StatusCondition
401 UnauthorizedNo session cookie provided.
403 ForbiddenSigned in but not an Admin.

GET /api/admin/users

List all registered users with their scores, roles, and challenge completion counts. Results are sorted by totalScore descending.

Response fields

success
boolean
true on success.
users
object[]
Array of user records.
total
number
Total number of users returned.

Example

curl "https://flagforgectf.com/api/admin/users" \
  -H "Cookie: next-auth.session-token=<admin-session>"

{
  "success": true,
  "users": [
    {
      "name": "alice",
      "email": "alice@example.com",
      "image": "https://lh3.googleusercontent.com/a/example",
      "totalScore": 3750,
      "customBadges": [],
      "createdAt": "2024-01-15T08:30:00.000Z",
      "completedQuestions": 28
    },
    {
      "name": "bob smith",
      "email": "bob@example.com",
      "image": null,
      "totalScore": 2100,
      "customBadges": [
        {
          "name": "CTF Champion",
          "description": "Winner of Spring 2024",
          "icon": "trophy",
          "color": "#EAB308",
          "assignedAt": "2024-05-01T12:00:00.000Z",
          "assignedBy": "admin@example.com"
        }
      ],
      "createdAt": "2024-02-20T14:00:00.000Z",
      "completedQuestions": 15
    }
  ],
  "total": 2
}

Error responses

StatusCondition
401 UnauthorizedNo session cookie provided.
403 ForbiddenSigned in but not an Admin.

Admin badge management

See the Badges API page for the following admin-only badge endpoints:
  • POST /api/admin/assign-badge — Assign a badge to a user.
  • GET /api/admin/assign-badge — List all active badge assignments.
  • DELETE /api/admin/assign-badge — Remove a badge assignment.
All admin API calls must include the admin session cookie. In production, session cookies are HttpOnly and Secure, so they are sent automatically by the browser. When using curl or other HTTP clients in a script, copy the next-auth.session-token value from your browser’s cookie storage and pass it with -H "Cookie: next-auth.session-token=<token>".

Build docs developers (and LLMs) love

Get started for freeTalk to us