User Management
GET /admin-users
Returns a paginated list of users. The result can be filtered, searched, and ordered, and includes role assignments and lock information where applicable.
This endpoint requires authentication via a refresh token stored in cookies and the appropriate permission.
| Cookie Name | Required | Description |
|---|---|---|
| refreshToken | Yes | Refresh token used to authenticate |
Required Permission: view-users
| Parameter | Type | Required | Description |
|---|---|---|---|
| order | string | No | Sort order for users (see supported values below) |
| limit | number | No | Maximum number of users to return |
| offset | number | No | Number of users to skip (for pagination) |
| search | string | No | Search term applied to usernames |
| role | string | No | Filter users by role identifier |
name-asc(default)name-descregistered-ascregistered-desc
200 OK
Returned when the users are retrieved successfully.
{
"users": [
{
"id": "number",
"slug": "string",
"username": "string",
"age_verified": "boolean",
"profile_image": "string",
"registered": "string",
"roles": [
{
"id": "number",
"name": "string",
"description": "string"
}
],
"lock": {
"id": "number",
"username": "string"
} | null
}
],
"max": "number",
"from": "number",
"to": "number"
}
Models used
User Model
Role Model
GET /admin-users/id/:id
Returns detailed information for a specific user, including assigned roles and current login status.
This endpoint requires authentication via a refresh token stored in cookies and the appropriate permission.
| Cookie Name | Required | Description |
|---|---|---|
| refreshToken | Yes | Refresh token used to authenticate |
Required Permission: view-users
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | Identifier of the user |
200 OK
Returned when the user is retrieved successfully.
{
"id": "number",
"slug": "string",
"username": "string",
"profile_image": "string | null",
"registered": "string",
"age_verified": "boolean",
"logged_in": "boolean",
"roles": [
{
"id": "number",
"name": "string",
"description": "string | null"
}
]
}
Models used
User Model
Role Model
400 Bad Request
Returned when required parameters are missing.
{
"data": "Required parameters missing",
"code": 400
}
Models used
Response Model
404 Not Found
Returned when the authenticated user or the requested user cannot be found.
{
"data": "User not found",
"code": 404
}
Models used
Response Model
POST /admin-users/edit/:id
Updates an existing user’s basic information and role assignments.
This endpoint requires authentication via a refresh token stored in cookies and the appropriate permission.
| Cookie Name | Required | Description |
|---|---|---|
| refreshToken | Yes | Refresh token used to authenticate |
Required Permission: edit-users
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | Identifier of the user |
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| username | string | Yes | — | Updated username |
| age_verified | boolean | No | false |
Whether the user is age verified |
| added_roles | array | No | [] |
List of role IDs to assign to the user |
| removed_roles | array | No | [] |
List of role IDs to remove from the user |
200 OK
Returned when the user is updated successfully.
{
"data": "User edited successfully",
"code": 200
}
Models used
Response Model
400 Bad Request
Returned when required parameters are missing.
{
"data": "Required parameters missing",
"code": 400
}
Models used
Response Model
404 Not Found
Returned when the authenticated user cannot be found.
{
"data": "User not found",
"code": 404
}
Models used
Response Model
409 Conflict
Returned when the specified username is already taken.
{
"data": "Username already taken",
"code": 409
}
Models used
Response Model
500 Internal Server Error
Returned when an unexpected error occurs while editing the user.
{
"data": "Internal server error",
"code": 500
}
Models used
Response Model
DELETE /admin-users/delete/:id
Deletes a user and all associated data from the system. This operation is irreversible.
This endpoint requires authentication via a refresh token stored in cookies and the appropriate permission.
| Cookie Name | Required | Description |
|---|---|---|
| refreshToken | Yes | Refresh token used to authenticate |
Required Permission: delete-users
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | Identifier of the user |
200 OK
Returned when the user and all associated data are deleted successfully.
{
"data": "User deleted successfully",
"code": 200
}
Models used
Response Model
400 Bad Request
Returned when required parameters are missing.
{
"data": "Required parameters missing",
"code": 400
}
Models used
Response Model
404 Not Found
Returned when the authenticated admin user or the target user cannot be found.
{
"data": "User not found",
"code": 404
}
Models used
Response Model
500 Internal Server Error
Returned when an unexpected error occurs while deleting the user.
{
"data": "Internal server error",
"code": 500
}
Models used
Response Model
POST /admin-users/logout/:id
Forcibly logs out a user by invalidating their refresh token. This endpoint is typically used by administrators to terminate active user sessions.
This endpoint requires authentication via a refresh token stored in cookies and the appropriate permission.
| Cookie Name | Required | Description |
|---|---|---|
| refreshToken | Yes | Refresh token used to authenticate |
Required Permission: edit-users
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | Identifier of the user |
200 OK
Returned when the user is logged out successfully.
{
"data": "User logged out successfully",
"code": 200
}
Models used
Response Model
400 Bad Request
Returned when required parameters are missing.
{
"data": "Required parameters missing",
"code": 400
}
Models used
Response Model
404 Not Found
Returned when the authenticated admin user or the target user cannot be found.
{
"data": "User not found",
"code": 404
}
Models used
Response Model
500 Internal Server Error
Returned when an unexpected error occurs while logging out the user.
{
"data": "Internal server error",
"code": 500
}
Models used
Response Model
POST /admin-users/update-image/:id
Updates the profile image of a user. This endpoint is intended for administrative use and allows updating the profile image of any user.
This endpoint requires authentication via a refresh token stored in cookies and the appropriate permission.
| Cookie Name | Required | Description |
|---|---|---|
| refreshToken | Yes | Refresh token used to authenticate |
Required Permission: edit-users
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | Identifier of the user |
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| image | string | Yes | — | Base64-encoded image data |
The image must be provided as a Base64-encoded string (data URL format supported).
200 OK
Returned when the profile image is updated successfully.
{
"data": "Profile image updated successfully",
"code": 200
}
Models used
Response Model
400 Bad Request
Returned when required parameters are missing.
{
"data": "Required parameters missing",
"code": 400
}
Models used
Response Model
404 Not Found
Returned when the authenticated user cannot be found.
{
"data": "User not found",
"code": 404
}
Models used
Response Model
500 Internal Server Error
Returned when an unexpected error occurs while updating the profile image.
{
"data": "Internal server error",
"code": 500
}
Models used
Response Model
503 Service Unavailable
Returned when the current service is not configured to handle file operations (When API is called with this route).
{
"data": "This service is not handling file uploads.",
"code": 503
}
Models used
Response Model
DELETE /admin-users/delete-image/:id
Deletes the profile image of a user. This administrative endpoint allows removing profile images for any user.
This endpoint requires authentication via a refresh token stored in cookies and the appropriate permission.
| Cookie Name | Required | Description |
|---|---|---|
| refreshToken | Yes | Refresh token used to authenticate |
Required Permission: edit-users
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | Identifier of the user |
200 OK
Returned when the profile image is deleted successfully.
{
"data": "Profile image deleted successfully",
"code": 200
}
Models used
Response Model
400 Bad Request
Returned when required parameters are missing.
{
"data": "Required parameters missing",
"code": 400
}
Models used
Response Model
404 Not Found
Returned when the authenticated user cannot be found.
{
"data": "User not found",
"code": 404
}
Models used
Response Model
500 Internal Server Error
Returned when the user has no profile image or an unexpected error occurs.
{
"data": "Internal server error",
"code": 500
}
Models used
Response Model
503 Service Unavailable
Returned when the current service is not configured to handle file operations (When API is called with this route).
{
"data": "This service is not handling file uploads.",
"code": 503
}
Models used
Response Model
— Roles —
GET /admin-roles
Returns a list of all roles in the system, including the number of permissions and users associated with each role.
This endpoint requires authentication via a refresh token stored in cookies and the appropriate permission.
| Cookie Name | Required | Description |
|---|---|---|
| refreshToken | Yes | Refresh token used to authenticate |
Required Permission: view-roles
200 OK
Returned when the roles are retrieved successfully.
[
{
"id": "number",
"name": "string",
"description": "string | null",
"permission_count": "number",
"user_count": "number"
}
]
Models used
Role Model
GET /admin-roles/id/:id
Returns detailed information for a specific role, including all permissions assigned to that role.
This endpoint requires authentication via a refresh token stored in cookies and the appropriate permission.
| Cookie Name | Required | Description |
|---|---|---|
| refreshToken | Yes | Refresh token used to authenticate |
Required Permission: view-roles
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | Identifier of the role |
200 OK
Returned when the role is retrieved successfully.
{
"id": "number",
"name": "string",
"description": "string",
"is_default": "number",
"permissions": [
{
/* Permission data */
}
]
}
Models used
Role Model
Permission Model
400 Bad Request
Returned when required parameters are missing.
{
"data": "Required parameters missing",
"code": 400
}
Models used
Response Model
404 Not Found
Returned when the specified role cannot be found.
{
"data": "Role not found",
"code": 404
}
Models used
Response Model
POST /admin-roles/edit/:id
Updates an existing role, including its name, description, and assigned permissions.
This endpoint requires authentication via a refresh token stored in cookies and the appropriate permission.
| Cookie Name | Required | Description |
|---|---|---|
| refreshToken | Yes | Refresh token used to authenticate |
Required Permission: edit-roles
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | Identifier of the role |
| Field | Type | Required | Description |
|---|---|---|---|
| name | string | Yes | Updated role name |
| description | string | No | Updated role description |
| added_permissions | array | No | List of permission IDs to assign to the role |
| removed_permissions | array | No | List of permission IDs to remove from the role |
200 OK
Returned when the role is updated successfully.
{
"data": "Role updated successfully",
"code": 200
}
Models used
Response Model
400 Bad Request
Returned when required parameters are missing.
{
"data": "Required parameters missing",
"code": 400
}
Models used
Response Model
409 Conflict
Returned when a role with the same name already exists.
{
"data": "Role with the same name already exists",
"code": 409
}
Models used
Response Model
500 Internal Server Error
Returned when an unexpected error occurs while updating the role.
{
"data": "Internal server error",
"code": 500
}
Models used
Response Model
POST /admin-roles/add
Creates a new role in the system.
This endpoint requires authentication via a refresh token stored in cookies and the appropriate permission.
| Cookie Name | Required | Description |
|---|---|---|
| refreshToken | Yes | Refresh token used to authenticate |
Required Permission: add-roles
| Field | Type | Required | Description |
|---|---|---|---|
| name | string | Yes | Name of the new role |
| description | string | Yes | Description of the role |
200 OK
Returned when the role is added successfully.
{
"data": "Role added successfully",
"code": 200
}
Models used
Response Model
400 Bad Request
Returned when required parameters are missing.
{
"data": "Required parameters missing",
"code": 400
}
Models used
Response Model
409 Conflict
Returned when a role with the same name already exists.
{
"data": "Role with the same name already exists",
"code": 409
}
Models used
Response Model
500 Internal Server Error
Returned when an unexpected error occurs while adding the role.
{
"data": "Internal server error",
"code": 500
}
Models used
Response Model
DELETE /admin-roles/delete/:id
Deletes an existing role from the system. Users who are assigned only this role are automatically reassigned to the default role.
This endpoint requires authentication via a refresh token stored in cookies and the appropriate permission.
| Cookie Name | Required | Description |
|---|---|---|
| refreshToken | Yes | Refresh token used to authenticate |
Required Permission: delete-roles
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | Identifier of the role |
200 OK
Returned when the role is deleted successfully.
{
"data": "Role deleted successfully",
"code": 200
}
Models used
Response Model
400 Bad Request
Returned when required parameters are missing.
{
"data": "Required parameters missing",
"code": 400
}
Models used
Response Model
405 Method Not Allowed
Returned when attempting to delete the default role.
{
"data": "Cannot delete default role",
"code": 405
}
Models used
Response Model
500 Internal Server Error
Returned when an unexpected error occurs while deleting the role or when the default role cannot be resolved.
{
"data": "Internal server error",
"code": 500
}
Models used
Response Model
— Permissions —
GET /admin-permissions
Returns a list of all permissions defined in the system.
This endpoint requires authentication via a refresh token stored in cookies and the appropriate permission.
| Cookie Name | Required | Description |
|---|---|---|
| refreshToken | Yes | Refresh token used to authenticate |
Required Permission: view-permissions
200 OK
Returned when the permissions are retrieved successfully.
[
{
"id": "number",
"name": "string",
"description": "string"
}
]
Models used
Permission Model
GET /admin-permissions/id/:id
Returns detailed information for a specific permission.
This endpoint requires authentication via a refresh token stored in cookies and the appropriate permission.
| Cookie Name | Required | Description |
|---|---|---|
| refreshToken | Yes | Refresh token used to authenticate |
Required Permission: view-permissions
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | Identifier of the permission |
200 OK
Returned when the permission is retrieved successfully.
{
"id": "number",
"name": "string",
"description": "string"
}
Models used
Permission Model
400 Bad Request
Returned when required parameters are missing.
{
"data": "Required parameters missing",
"code": 400
}
Models used
Response Model
404 Not Found
Returned when the specified permission cannot be found.
{
"data": "Permission not found",
"code": 404
}
Models used
Response Model
POST /admin-permissions/edit/:id
Updates an existing permission, including its name and description.
This endpoint requires authentication via a refresh token stored in cookies and the appropriate permission.
| Cookie Name | Required | Description |
|---|---|---|
| refreshToken | Yes | Refresh token used to authenticate |
Required Permission: edit-permissions
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | Identifier of the permission |
| Field | Type | Required | Description |
|---|---|---|---|
| name | string | Yes | Updated permission name |
| description | string | Yes | Updated permission description |
200 OK
Returned when the permission is updated successfully.
{
"data": "Permission updated successfully",
"code": 200
}
Models used
Response Model
400 Bad Request
Returned when required parameters are missing.
{
"data": "Required parameters missing",
"code": 400
}
Models used
Response Model
404 Not Found
Returned when the specified permission cannot be found.
{
"data": "Permission not found",
"code": 404
}
Models used
Response Model
409 Conflict
Returned when a permission with the same name already exists.
{
"data": "Permission with the same name already exists",
"code": 409
}
Models used
Response Model
500 Internal Server Error
Returned when an unexpected error occurs while updating the permission.
{
"data": "Internal server error",
"code": 500
}
Models used
Response Model
POST /admin-permissions/add
Creates a new permission in the system.
This endpoint requires authentication via a refresh token stored in cookies and the appropriate permission.
| Cookie Name | Required | Description |
|---|---|---|
| refreshToken | Yes | Refresh token used to authenticate |
Required Permission: add-permissions
| Field | Type | Required | Description |
|---|---|---|---|
| name | string | Yes | Name of the new permission |
| description | string | Yes | Description of the permission |
200 OK
Returned when the permission is added successfully.
{
"data": "Permission added successfully",
"code": 200
}
Models used
Response Model
400 Bad Request
Returned when required parameters are missing.
{
"data": "Required parameters missing",
"code": 400
}
Models used
Response Model
409 Conflict
Returned when a permission with the same name already exists.
{
"data": "Permission with the same name already exists",
"code": 409
}
Models used
Response Model
500 Internal Server Error
Returned when an unexpected error occurs while adding the permission.
{
"data": "Internal server error",
"code": 500
}
Models used
Response Model
DELETE /admin-permissions/delete/:id
Deletes an existing permission from the system. All role–permission associations for the permission are removed before deletion.
This endpoint requires authentication via a refresh token stored in cookies and the appropriate permission.
| Cookie Name | Required | Description |
|---|---|---|
| refreshToken | Yes | Refresh token used to authenticate |
Required Permission: delete-permissions
| Parameter | Type | Required | Description |
|---|---|---|---|
| id | string | Yes | Identifier of the permission |
200 OK
Returned when the permission is deleted successfully.
{
"data": "Permission deleted successfully",
"code": 200
}
Models used
Response Model
400 Bad Request
Returned when required parameters are missing.
{
"data": "Required parameters missing",
"code": 400
}
Models used
Response Model
404 Not Found
Returned when the specified permission cannot be found.
{
"data": "Permission not found",
"code": 404
}
Models used
Response Model
500 Internal Server Error
Returned when an unexpected error occurs while deleting the permission.
{
"data": "Internal server error",
"code": 500
}
Models used
Response Model