The Users API manages the members of your tenant company. Users are authenticated through Neon Auth — eachDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/juadariasmar/inventory_project/llms.txt
Use this file to discover all available pages before exploring further.
Usuario record in the database is linked to a Neon Auth identity via neonAuthId. Administrators can list all members, adjust roles and fine-grained permissions, change a user’s estado (active, suspended, or pending), and remove accounts. An invitation system allows admins to onboard new members by sending tokenized email invitations that recipients accept through a dedicated endpoint.
Endpoints
| Method | Path | Description |
|---|---|---|
| GET | /api/usuarios | List all users in the tenant (ADMIN only) |
| POST | /api/usuarios | Create a user record directly (ADMIN only) |
| GET | /api/usuarios/[id] | Get a user by ID (ADMIN only) |
| PUT | /api/usuarios/[id] | Update a user’s role, permissions, or state (ADMIN only) |
| DELETE | /api/usuarios/[id] | Delete a user (ADMIN only; cannot delete self) |
| GET | /api/invitaciones | List all invitations for the tenant |
| POST | /api/invitaciones | Send an invitation email to a new member |
| POST | /api/invitaciones/aceptar | Accept an invitation using a token |
| GET | /api/invitaciones/validar | Validate an invitation token before rendering the accept UI |
| GET | /api/empresa/usuarios | List all users in the company including pending members |
GET /api/usuarios
Returns allUsuario records for the tenant, ordered by creation date descending. Each record exposes id, email, nombre, rol, estado, and creadoEn.
Response fields
Internal user UUID (cuid).
User email address, synchronized from Neon Auth.
Display name.
Role assigned to the user:
ADMIN or USUARIO.Account state:
PENDIENTE, ACTIVO, or SUSPENDIDO.ISO 8601 timestamp of user record creation.
POST /api/usuarios
Creates aUsuario record directly in the database under the tenant. This is intended for administrative provisioning; the created account starts with a placeholder Neon Auth ID and must complete the Neon Auth sign-in flow to become fully active. Requires ADMIN role. Returns the created user (HTTP 201).
Request body
User email address. Must be unique across the system.
Display name for the user.
Role to assign:
ADMIN or USUARIO. Defaults to USUARIO if omitted or unrecognized.Array of
Permiso enum values to grant. Unrecognized values are silently filtered out. Accepted values: VER_ANALISIS, EXPORTAR_REPORTES, REGISTRAR_MOVIMIENTOS, REALIZAR_VENTAS.Response fields
Assigned user ID (cuid).
Email address.
Display name.
Assigned role.
Initial state:
PENDIENTE.Granted permissions.
Creation timestamp (ISO 8601).
GET /api/usuarios/[id]
Returns a single user by their internal ID. The lookup is scoped to the tenant. Returns404 if the user does not exist within the company. Requires ADMIN role.
Path parameters
User UUID (cuid).
Response fields
User ID.
Email address.
Display name.
Assigned role.
Account state.
Array of granted
Permiso values.Creation timestamp (ISO 8601).
PUT /api/usuarios/[id]
Updates a user’s profile, role, permissions, or account state. Only the fields provided in the body are changed. Permission changes are validated against the knownPermiso enum — unknown values are silently dropped. Requires ADMIN role. The full updated user object is returned.
Path parameters
User UUID (cuid).
Request body
Updated display name.
Updated email address. Must be unique across the system.
Updated role:
ADMIN or USUARIO. Other values are ignored.Replacement permissions array. Accepted values:
VER_ANALISIS, EXPORTAR_REPORTES, REGISTRAR_MOVIMIENTOS, REALIZAR_VENTAS.Updated account state:
PENDIENTE, ACTIVO, or SUSPENDIDO. Use SUSPENDIDO to block a user’s access without deleting their record.DELETE /api/usuarios/[id]
Permanently deletes a user from the tenant. The requesting admin cannot delete their own account — that attempt returns400 Bad Request. The operation validates that the target user belongs to the same company before deleting. Returns { "ok": true } on success. Requires ADMIN role.
Path parameters
User UUID (cuid) of the account to delete.
GET /api/invitaciones
Lists all invitations belonging to the tenant. Available to any active tenant member.Response fields
Returns an array ofInvitacion objects, each including id, email, rol, estado, expiraEn, and creadoEn.
POST /api/invitaciones
Sends a tokenized invitation email to a new member. The invitation record is created withestado: PENDIENTE and an expiry timestamp. The token is embedded in the email link and used to accept the invitation. Requires ADMIN role.
Request body
Email address of the person being invited.
Role to pre-assign when the invitation is accepted:
ADMIN or USUARIO. Defaults to USUARIO.POST /api/invitaciones/aceptar
Accepts a pending invitation using the token received in the invitation email. On success, the invitation’sestado is set to ACEPTADA and the corresponding Usuario record is created and linked to the Neon Auth identity.
Request body
Unique invitation token from the email link.
The Neon Auth user ID obtained after completing the Neon Auth sign-up flow.
Email address confirmed during sign-up.
Display name provided during sign-up.
GET /api/invitaciones/validar
Validates an invitation token and returns its metadata before the accept form is rendered. Returns404 for an expired or already-used token.
Query parameters
Invitation token to validate.
Response fields
Always
true when the token is valid.Email address the invitation was sent to.
Name of the company associated with the invitation.
ISO 8601 expiry timestamp.
GET /api/empresa/usuarios
Returns the users in the current company as an object containing ausuarios array and an esAdmin flag indicating whether the requesting user is an admin. Includes users with any estado (PENDIENTE, ACTIVO, SUSPENDIDO), ordered by creation date ascending.
Response fields
Array of user objects for the company.
User ID.
Email address.
Display name.
Assigned role.
Account state:
PENDIENTE, ACTIVO, or SUSPENDIDO.true if the authenticated user has the ADMIN or SUPER_ADMIN role.Permiso enum values
The following permission values are recognized by the system. They can be granted to any user regardless of role and control access to specific features in the UI and API.| Value | Description |
|---|---|
VER_ANALISIS | Access the analytics dashboard (GET /api/analisis). |
EXPORTAR_REPORTES | Download Excel reports (GET /api/analisis/exportar). |
REGISTRAR_MOVIMIENTOS | Create manual stock movements. |
REALIZAR_VENTAS | Create sales and quotations. |