Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/noelzappy/vaulx/llms.txt

Use this file to discover all available pages before exploring further.

Vaulx user management is split into two groups. The /admin/users endpoints are restricted to administrators and control the full lifecycle of user accounts — creation, role changes, and activation status. The /profile endpoints are available to every authenticated user and cover self-service display name updates and password changes.

List all users

GET /admin/users Renders the HTML admin users page showing every account registered in the system, regardless of active status. Authentication: admin only. Non-admin requests receive a 403 HTML error page. Response fields per user row
id
uuid
Unique user identifier.
email
string
The user’s email address (unique, used for login).
name
string
Display name shown in the UI and audit log.
role
string
One of viewer, editor, or admin.
active
boolean
Whether the account is currently active. Deactivated users cannot log in.
created_at
string
Human-readable account creation date.

Create user

POST /admin/users Creates a new Vaulx user account. On success, redirects to /admin/users. Authentication: admin only. Content-Type: application/x-www-form-urlencoded
email
string
required
Email address for the new account. Must be unique across all users.
name
string
required
Display name for the new user.
role
string
required
Initial role for the account. Must be one of viewer, editor, or admin.
password
string
required
Plain-text password. The server bcrypt-hashes the value before storage; the plain-text password is never persisted.
Example request body
email=alice%40example.com&name=Alice+Smith&role=editor&password=correcthorsebattery
Response
  • 302 Redirect to /admin/users on success.
  • 409 Conflict if the email address is already registered.
  • 400 Bad Request if any field is missing or if role is not a valid value.
Passwords are hashed with bcrypt.DefaultCost before being written to users.password_hash. The plain-text value is discarded immediately after hashing.

Update user

PATCH /admin/users/{userID} Updates the role and/or active status of an existing user. Both fields are optional — send only the fields you want to change. Returns 200 OK on success plus an HX-Trigger toast. Authentication: admin only.
userID
uuid
required
The UUID of the user account to update.
role
string
New role for the user. Must be viewer, editor, or admin. Omit to leave the role unchanged.
active
string
"true" to activate the account, "false" to deactivate it. Omit to leave the status unchanged.
Response
  • 200 OK with HX-Trigger header: {"showToast":{"message":"User updated","type":"success"}}.
  • 400 Bad Request if an invalid role value is supplied.
  • 500 Internal Server Error if the database update fails.
Deactivating your own admin account (active=false on your own userID) will immediately lock you out of the platform. There is no confirmation step — proceed with caution.

View profile

GET /profile Renders the authenticated user’s profile page, which includes forms to update their display name and change their password. Authentication: any authenticated user. Pass a success query parameter to display a confirmation banner after a redirect:
?success=Banner text
nameDisplay name updated.
passwordPassword updated successfully.

Update display name

POST /profile Updates the authenticated user’s display name. Refreshes the session cookie immediately so the sidebar reflects the new name without requiring a re-login. Authentication: any authenticated user. Content-Type: application/x-www-form-urlencoded
name
string
required
The new display name. Must be non-empty and at most 100 characters. Whitespace is trimmed from both ends before validation.
Response
  • 303 See Other redirect to /profile?success=name on success.
  • 400 Bad Request (re-renders profile page with error) if name is empty or exceeds 100 characters.
  • Writes a profile.name_updated entry to the audit log.

Change password

POST /profile/password Updates the authenticated user’s password after verifying the current one. Authentication: any authenticated user. Content-Type: application/x-www-form-urlencoded
current_password
string
required
The user’s existing plain-text password, used to verify identity before the change is applied.
new_password
string
required
The desired new password. Must be at least 8 characters.
confirm_password
string
required
Must exactly match new_password. The server compares the two values and rejects the request if they differ.
Response
  • 303 See Other redirect to /profile?success=password on success.
  • 400 Bad Request (re-renders profile page) if new_password and confirm_password do not match, or if new_password is fewer than 8 characters.
  • 403 Forbidden if the account has been deactivated by an admin.
  • 400 Bad Request (re-renders with error) if current_password does not match the stored bcrypt hash.
  • Writes a profile.password_updated entry to the audit log.

Build docs developers (and LLMs) love