Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/vanegasjoseignacio2-cyber/Eco-It/llms.txt

Use this file to discover all available pages before exploring further.

The /api/admin route group powers the Eco-It back-office dashboard. Every endpoint in this group is protected by JWT authentication (verificarToken) and requires at minimum the admin role. Certain destructive operations — such as deleting notifications, purging audit logs, or changing a user’s role — additionally require the superadmin role. All requests must include a valid Authorization: Bearer <token> header.
Never expose admin tokens in client-side code or version-control repositories. Rotate credentials immediately if a token is compromised.

Users

GET /api/admin/usuarios

Returns a paginated-ready list of every registered user, sorted newest-first. Passwords, reset tokens, and expiry dates are excluded from the response. Each user object is augmented with a live isOnline flag derived from the active Socket.IO connection map. Auth: Admin 
GET /api/admin/usuarios
Authorization: Bearer <token>
success
boolean
true on a successful fetch.
usuarios
array
Array of user objects. Sensitive fields (password, resetPasswordToken, resetPasswordExpires) are stripped.

GET /api/admin/stats

Returns aggregated KPI statistics for the admin dashboard, including total users, recycling points, AI chat queries, and rich chart data for the last 30 days and the current year. Auth: Admin 
GET /api/admin/stats
Authorization: Bearer <token>
success
boolean
true on success.
totalUsuarios
number
Total number of registered accounts.
usuariosOnline
number
Number of users with an active Socket.IO session at query time.
nuevosHoy
number
Accounts created since midnight today (Colombia/Bogotá timezone).
totalPuntos
number
Sum of puntos across all user accounts.
totalConsultas
number
Cumulative AI chat messages sent by users (images excluded).
consultasHoy
number
Chat messages sent today.
chartData
object
Nested chart-ready data arrays.

GET /api/admin/admin

Returns the name, email, and role of the currently authenticated admin. Useful for rendering the dashboard header or validating the active session. Auth: Admin 
GET /api/admin/admin
Authorization: Bearer <token>
message
string
A welcome string: "Bienvenido al panel de administrador".
admin
object

DELETE /api/admin/users/:id

Permanently deletes a user account and all associated data. An audit log entry is automatically created. An admin cannot delete their own account. Auth: Admin 
DELETE /api/admin/users/:id
Authorization: Bearer <token>
Path parameterTypeDescription
idstringMongoDB ObjectId of the user to delete.
success
boolean
true on successful deletion.
message
string
"Usuario eliminado exitosamente" or an error description.
This action is irreversible. The user’s chat history, points, and profile data are permanently removed from the database.

PATCH /api/admin/users/:id/ban

Bans a user for a specified number of days. Sets the user’s status to "banned", records banHasta (expiry date) and banReason, emits a real-time user:banned Socket.IO event to the affected user’s active connections, and creates a Notification document visible to all admins. Auth: Admin 
PATCH /api/admin/users/:id/ban
Authorization: Bearer <token>
Content-Type: application/json
Path parameterTypeDescription
idstringMongoDB ObjectId of the target user.
dias
number
default:"7"
Duration of the ban in days.
motivo
string
default:"Incumplimiento de las normas"
Human-readable reason for the ban, stored in banReason and the generated notification.
success
boolean
true on success.
message
string
E.g. "Usuario baneado por 7 días".
usuario
object
The updated user document reflecting the new banned status.
An admin cannot ban themselves. Attempting to do so returns HTTP 400. A real-time Socket.IO event (user:banned) is emitted to the target user’s open sockets so they are immediately logged out on the client side.

PATCH /api/admin/users/:id/unban

Lifts an active ban by resetting the user’s status to "active" and clearing banHasta. Emits a user:unbanned Socket.IO event to the affected user in real time and writes an audit log entry. Auth: Admin 
PATCH /api/admin/users/:id/unban
Authorization: Bearer <token>
Path parameterTypeDescription
idstringMongoDB ObjectId of the target user.
success
boolean
true on success.
message
string
"Usuario desbaneado exitosamente".
usuario
object
The updated user document with status: "active" and banHasta: null.

PATCH /api/admin/users/:id/role

Changes a user’s role to either "user" or "admin". If the target user is currently "active" and connected, their Socket.IO room membership is updated instantly (joined or removed from the admins room). Auth: Superadmin 
PATCH /api/admin/users/:id/role
Authorization: Bearer <token>
Content-Type: application/json
Path parameterTypeDescription
idstringMongoDB ObjectId of the target user.
rol
string
required
New role to assign. Must be either "user" or "admin". The value "superadmin" is explicitly rejected.
success
boolean
true on success.
mensaje
string
Confirmation message including the new role, e.g. "El rol del usuario ha sido cambiado a admin".
usuario
object
The updated user document.
Only superadmins may call this endpoint. Assigning the "superadmin" role via the API is blocked by design — there can only be one superadmin, set directly in the database.

Notifications

Notifications are system-generated events (e.g. ban events, content alerts) stored in MongoDB. They auto-expire after 7 days via a TTL index. Each notification tracks which admin users have read it via the readBy array.

GET /api/admin/notifications

Returns the 50 most recent notifications, sorted by date descending. Each notification is augmented with a per-requesting-admin read boolean. Auth: Admin 
GET /api/admin/notifications
Authorization: Bearer <token>
success
boolean
true on success.
notifications
array
Array of notification objects.

PATCH /api/admin/notifications/mark-read

Marks all notifications as read for the requesting admin by adding their user ID to the readBy array of every notification not yet read by them. Auth: Admin 
PATCH /api/admin/notifications/mark-read
Authorization: Bearer <token>
success
boolean
true on success.
mensaje
string
"Notificaciones marcadas como leídas".

PATCH /api/admin/notifications/:id/mark-read

Marks a single notification as read for the requesting admin. Auth: Admin 
PATCH /api/admin/notifications/:id/mark-read
Authorization: Bearer <token>
Path parameterTypeDescription
idstringMongoDB ObjectId of the notification.
success
boolean
true on success.
mensaje
string
"Notificación marcada como leída".

DELETE /api/admin/notifications/all

Permanently deletes all notifications from the database. Auth: Superadmin 
DELETE /api/admin/notifications/all
Authorization: Bearer <token>
success
boolean
true on success.
mensaje
string
"Todas las notificaciones eliminadas de la base de datos".
This is a destructive superadmin-only operation. All notification history will be permanently erased and cannot be recovered.

DELETE /api/admin/notifications/:id

Deletes a single notification by its ID. Auth: Superadmin 
DELETE /api/admin/notifications/:id
Authorization: Bearer <token>
Path parameterTypeDescription
idstringMongoDB ObjectId of the notification to delete.
success
boolean
true on success.
mensaje
string
"Notificación eliminada de la base de datos".

Audit Logs

Audit logs are immutable records of significant admin actions (bans, unbans, role changes, deletions, slide creations, etc.). They are written automatically by the createAuditLog utility and auto-expire after 7 days via a MongoDB TTL index.

GET /api/admin/audit

Returns the 50 most recent audit log entries, sorted newest-first. Auth: Admin 
GET /api/admin/audit
Authorization: Bearer <token>
success
boolean
true on success.
logs
array
Array of audit log objects.
Audit logs are read-only by design for regular admins. Only superadmins can delete entries, and even then, the TTL index will automatically clean up records older than 7 days regardless.

DELETE /api/admin/audit/:id

Deletes a single audit log entry by its ID before its natural TTL expiry. Auth: Superadmin 
DELETE /api/admin/audit/:id
Authorization: Bearer <token>
Path parameterTypeDescription
idstringMongoDB ObjectId of the audit log entry.
success
boolean
true on success.
mensaje
string
"Registro eliminado de la base de datos".

DELETE /api/admin/audit/all

Wipes the entire audit log collection. Auth: Superadmin 
DELETE /api/admin/audit/all
Authorization: Bearer <token>
success
boolean
true on success.
mensaje
string
"Todos los registros eliminados de la base de datos".
Deleting all audit logs removes the complete administrative action history. This operation cannot be undone and should only be used during maintenance or compliance-driven data purges.

Map Points (Admin)

These endpoints manage the recycling point markers displayed on the public Eco-It map. Mutations emit a real-time map:updated Socket.IO event to all connected clients so the map refreshes instantly without requiring a page reload. Images are uploaded to and hosted on Cloudinary under the ecoit_map_points folder.

GET /api/admin/map/points

Returns all recycling points (both active and inactive, both user-visible and hidden), sorted newest-first. This is the admin-facing counterpart of the public map endpoint. Auth: Admin 
GET /api/admin/map/points
Authorization: Bearer <token>
success
boolean
true on success.
puntos
array
Full PuntoReciclaje documents including admin-only fields like activo and visibleToUser.

POST /api/admin/map/points

Creates a new recycling map point. If the imagen field contains a base64 data URI, it is uploaded to Cloudinary and the resulting secure URL is stored in its place. Auth: Admin 
POST /api/admin/map/points
Authorization: Bearer <token>
Content-Type: application/json
nombre
string
required
Display name of the recycling point shown on the map and in listings.
tipo
string
required
Category of the point. Must be one of: "recycling", "ecobottle", "truck", "container", "green_zone". Defaults to "recycling".
lat
number
required
Latitude of the point in decimal degrees (e.g. 4.7110 for Bogotá).
lng
number
required
Longitude of the point in decimal degrees (e.g. -74.0721 for Bogotá).
descripcion
string
Optional text description of the location or accepted materials.
imagen
string
Base64-encoded data URI (e.g. "data:image/png;base64,...") or an existing URL. If a data URI is provided, it is uploaded to Cloudinary and replaced with the resulting secure URL.
activo
boolean
default:"true"
Whether the point is immediately active after creation.
visibleToUser
boolean
default:"true"
Whether the point should appear on the public-facing user map.
Response — HTTP 201
success
boolean
true on creation.
punto
object
The newly created PuntoReciclaje document.
After a successful creation, the server automatically emits a map:updated Socket.IO event with the full list of active, user-visible points. Frontend map components should listen for this event to refresh markers without polling.

PATCH /api/admin/map/points/:id

Updates any fields of an existing recycling point. Partial updates are supported — only provide the fields you wish to change. If imagen is a new base64 data URI, it is re-uploaded to Cloudinary. Auth: Admin 
PATCH /api/admin/map/points/:id
Authorization: Bearer <token>
Content-Type: application/json
Path parameterTypeDescription
idstringMongoDB ObjectId of the point to update.
nombre
string
Updated display name.
tipo
string
Updated type. Same enum as POST.
lat
number
Updated latitude.
lng
number
Updated longitude.
descripcion
string
Updated description.
imagen
string
New base64 data URI or Cloudinary URL.
activo
boolean
Updated active state.
visibleToUser
boolean
Updated user-visibility flag.
success
boolean
true on success.
punto
object
The updated PuntoReciclaje document (returned with { new: true }).

DELETE /api/admin/map/points/:id

Permanently removes a recycling point from the database and triggers a live map:updated event for all connected clients. Auth: Admin 
DELETE /api/admin/map/points/:id
Authorization: Bearer <token>
Path parameterTypeDescription
idstringMongoDB ObjectId of the point to delete.
success
boolean
true on success.
mensaje
string
"Punto eliminado correctamente".

PATCH /api/admin/map/points/:id/toggle

Flips the activo boolean of a recycling point (active → inactive or inactive → active) without requiring the full point object in the request body. Emits map:updated in real time. Auth: Admin 
PATCH /api/admin/map/points/:id/toggle
Authorization: Bearer <token>
Path parameterTypeDescription
idstringMongoDB ObjectId of the point to toggle.
success
boolean
true on success.
punto
object
The updated PuntoReciclaje document with the new activo state reflected.
Use this endpoint instead of PATCH /map/points/:id when you only need to show or hide a point — it avoids sending the entire point payload and is therefore faster for bulk toggling operations.

Build docs developers (and LLMs) love

Get started for freeTalk to us