Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/fredy-rizo/MultiSas/llms.txt

Use this file to discover all available pages before exploring further.

The company management endpoints let Super Admins control tenant lifecycle (activation, plan assignment, role promotion) and let company Admins manage their own workforce (creating sub-users, toggling account activation, listing active or inactive employees). All endpoints in this section require a valid JWT in the token-access: Bearer <token> header — see the Auth page for how to obtain a token.
TokenAny resolves the bearer token against both the Company collection and the UserCompany collection, populating req.user with { id, type_dato, role, plan, active }. TokenAuthorize(...roles) then checks whether req.user.role is included in the allowed list before passing control to the handler.

PUT /api/user/update-company/:company_id

Update a company’s subscription plan, account status, and billing cycle. This action is restricted to Super Admins only. On success, the company’s role_user is promoted to Admin and active_account is set to Activo. Auth: TokenAny + TokenAuthorize('Super Admin') Path Parameters
company_id
string
required
The MongoDB _id of the company to update.
Request Body
available_plans
string
Subscription plan to assign. One of: Plan Basico, Plan Profesional, Plan Premium, Plan Personalizado, Sin Plan.
type_available_plans
string
Billing cycle type. One of: Mensual, Anual, Permanente, Vacio. Controls how expired_available_plans is calculated.
months_quantity
number
Number of months for a Mensual plan (e.g. 3). Ignored when type_available_plans is Anual or Permanente.
Response
msj
string
"Datos actualizados correctamente" on success.
status
boolean
true on success.
The API automatically computes day_available_plans (today’s date), expired_available_plans (today + billing cycle), and promotes role_user to "Admin" and active_account to [{"name":"Activo","value":"2"}]. You do not need to send those fields in the request body.
curl -X PUT https://your-domain.com/api/user/update-company/64f1a2b3c4d5e6f7a8b9c0d1 \
  -H "Content-Type: application/json" \
  -H "token-access: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -d '{
    "available_plans": "Plan Profesional",
    "type_available_plans": "Mensual",
    "months_quantity": 3
  }'

{
  "msj": "Datos actualizados correctamente",
  "status": true
}

POST /api/user/create-user-company-by-admin/:company_id

Create a new sub-user (employee/seller) profile under a specific company. Only Admins of the target company and Super Admins may call this endpoint. The newly created account starts with active: false and must be activated separately. Auth: TokenAny + TokenAuthorize('Admin', 'Super Admin') Path Parameters
company_id
string
required
The MongoDB _id of the parent company.
Request Body
name_user_company
string
required
Full name of the new sub-user.
email_user_company
string
required
Email address for the sub-user.
password_user_company
string
required
Plain-text password for the sub-user. Stored bcrypt-hashed (salt rounds: 6).
role_user_company
string
required
Role to assign. One of: Vendedor, Consultor, Diseñador, Sin rol.
Response
msj
string
Dynamic success message, e.g. "Perfil de Vendedor creado exitosamente".
status
boolean
true on success.
new_user_company
object
The full persisted UserCompany document, including _id, company (parent company ID), all submitted fields, and active: false.
curl -X POST https://your-domain.com/api/user/create-user-company-by-admin/64f1a2b3c4d5e6f7a8b9c0d1 \
  -H "Content-Type: application/json" \
  -H "token-access: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -d '{
    "name_user_company": "Ana Gómez",
    "email_user_company": "ana@example.com",
    "password_user_company": "vendedor123",
    "role_user_company": "Vendedor"
  }'

{
  "msj": "Perfil de Vendedor creado exitosamente",
  "status": true,
  "new_user_company": {
    "_id": "64f1a2b3c4d5e6f7a8b9c0d2",
    "company": "64f1a2b3c4d5e6f7a8b9c0d1",
    "name_user_company": "Ana Gómez",
    "email_user_company": "ana@example.com",
    "role_user_company": "Vendedor",
    "nit_company_by_user": "900123456-1",
    "active": false,
    "type_dato": "user_company"
  }
}
Companies on the Plan Basico are limited to one sub-user. If the limit is reached, the API returns HTTP 403 with {"msj": "El plan basico solo permite 1 usuario por empresa", "status": false}. Upgrade the company’s plan to add more users.

PUT /api/user/active-account-user-by-company/:user_company_id

Toggle the active status of a sub-user account. Set active: true to allow the sub-user to log in; set active: false to deactivate them. Only the owning company’s Admin (or a Super Admin) may update a sub-user. Auth: TokenAny + TokenAuthorize('Admin', 'Super Admin') Path Parameters
user_company_id
string
required
The MongoDB _id of the UserCompany record to activate or deactivate.
Request Body
active
boolean
required
true to activate the account; false to deactivate it.
Response
msj
string
"Cuenta activada correctamente" on success.
status
boolean
true on success.
result
object
MongoDB updateOne result object containing matchedCount, modifiedCount, and acknowledged.
curl -X PUT https://your-domain.com/api/user/active-account-user-by-company/64f1a2b3c4d5e6f7a8b9c0d2 \
  -H "Content-Type: application/json" \
  -H "token-access: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -d '{
    "active": true
  }'

{
  "msj": "Cuenta activada correctamente",
  "status": true,
  "result": {
    "acknowledged": true,
    "matchedCount": 1,
    "modifiedCount": 1
  }
}

GET /api/user/list-user-by-company-active/:company_id/:pag?/:perpage?

Return a paginated list of active sub-users (active: true) that belong to the specified company. Results are sorted by _id descending (newest first). Auth: TokenAny + TokenAuthorize('Admin', 'Super Admin') Path Parameters
company_id
string
required
The MongoDB _id of the company whose active users should be listed.
pag
number
Page number to retrieve (1-based). Defaults to page 1 when omitted.
perpage
number
Number of records per page. Defaults to 10 when omitted.
Response
msj
string
"Cargando usuarios activados..." on success.
status
boolean
true on success.
data
array
Array of UserCompany documents matching the filter.
pagination
object
Pagination metadata.
curl -X GET https://your-domain.com/api/user/list-user-by-company-active/64f1a2b3c4d5e6f7a8b9c0d1/1/10 \
  -H "token-access: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

{
  "msj": "Cargando usuarios activados...",
  "status": true,
  "data": [
    {
      "_id": "64f1a2b3c4d5e6f7a8b9c0d2",
      "company": "64f1a2b3c4d5e6f7a8b9c0d1",
      "name_user_company": "Ana Gómez",
      "email_user_company": "ana@example.com",
      "role_user_company": "Vendedor",
      "nit_company_by_user": "900123456-1",
      "active": true
    }
  ],
  "pagination": {
    "pag": "1",
    "perpage": 10,
    "pags": 1
  }
}

GET /api/user/list-user-by-company-not-active/:company_id/:pag?/:perpage?

Return a paginated list of inactive sub-users (active: false) for a company — typically accounts that have been created but not yet activated, or that have been suspended. Results are sorted by _id descending. Auth: TokenAny + TokenAuthorize('Admin', 'Super Admin') Path Parameters
company_id
string
required
The MongoDB _id of the company.
pag
number
Page number (1-based). Defaults to 1.
perpage
number
Items per page. Defaults to 10.
Response
msj
string
"Cargando usuarios no activados..." on success.
status
boolean
true on success.
data
array
Array of inactive UserCompany documents.
pagination
object
Same structure as the active-users endpoint: pag, perpage, pags.
curl -X GET https://your-domain.com/api/user/list-user-by-company-not-active/64f1a2b3c4d5e6f7a8b9c0d1/1/10 \
  -H "token-access: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

{
  "msj": "Cargando usuarios no activados...",
  "status": true,
  "data": [
    {
      "_id": "64f1a2b3c4d5e6f7a8b9c0d3",
      "company": "64f1a2b3c4d5e6f7a8b9c0d1",
      "name_user_company": "Luis Martínez",
      "email_user_company": "luis@example.com",
      "role_user_company": "Consultor",
      "nit_company_by_user": "900123456-1",
      "active": false
    }
  ],
  "pagination": {
    "pag": "1",
    "perpage": 10,
    "pags": 1
  }
}

GET /api/user/test_plan

Check the plan expiration status for the authenticated company. The check_plan_expiration middleware from Expiration.js runs before the controller handler and may short-circuit the request if the plan has already expired. Auth: TokenAny + TokenAuthorize('Admin', 'Super Admin') + check_plan_expiration Response
status
boolean
true if the plan is still valid.
day_lef
string
The date on which the current plan was activated (day_available_plans from the company record).
user_id
string
MongoDB _id of the authenticated company.
curl -X GET https://your-domain.com/api/user/test_plan \
  -H "token-access: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

{
  "status": true,
  "day_lef": "15/3/2025",
  "user_id": "64f1a2b3c4d5e6f7a8b9c0d1"
}

Pagination

Paginated list endpoints use optional URL path segments rather than query parameters. The Paginate middleware reads :pag and :perpage from req.params and injects skippag and limit into req.body before the handler runs.
SegmentDescriptionDefault
:pagPage number (1-based). Page 1 starts at offset 0.1
:perpageNumber of records returned per page.10
Offset calculation: skippag = (pag - 1) * perpage Example — page 2 of results, 10 items per page: 
GET /api/user/list-user-by-company-active/64f1a2b3c4d5e6f7a8b9c0d1/2/10
Example — first page with default page size: 
GET /api/user/list-user-by-company-active/64f1a2b3c4d5e6f7a8b9c0d1
The response pagination object always echoes back the current page (pag), effective page size (perpage), and total page count (pags) so that clients can implement next/previous controls without an additional count request.

Error Responses

All protected endpoints share a common set of error shapes returned by the TokenAny and TokenAuthorize middleware layers.
HTTP StatusWhenResponse Body
401No token-access header provided{"msj": "Sin autorizacion", "status": false}
403JWT has expired (365-day TTL elapsed){"msj": "Sesion finalizada", "status": false}
403Authenticated user’s role is not in the allowed list{"msj": "No tienes permisos", "status": false}
404User record not found during token lookup{"msj": "Usuario no encontrado", "status": false}
401 — No token: 
{ "msj": "Sin autorizacion", "status": false }
403 — Expired session: 
{ "msj": "Sesion finalizada", "status": false }
403 — Insufficient role: 
{ "msj": "No tienes permisos", "status": false }
404 — User not found: 
{ "msj": "Usuario no encontrado", "status": false }
If a company Admin attempts to act on a resource belonging to a different company (mismatched company_id vs. token identity), the API returns HTTP 403 with {"msj": "No puedes acceder a esta funcion 'CTRL'", "status": false}. Only Super Admins can cross company boundaries.

Build docs developers (and LLMs) love

Get started for freeTalk to us