Auth guards vary by endpoint — JWT users can only access their own record. Admin key has full access.

Overview

User rows are created by the Auth module on first POST /auth/token. This module owns everything after creation: profile reads and writes, the onboarding transition, and soft-deletion. Phone number and user ID are immutable once set.

Onboarding Flow

New users start with status = onboarding. Calling POST /users/{user_id}/complete_onboarding transitions them to active and returns a fresh JWT. Required fields for complete_onboarding: first_name, last_name, dob, gender, address.

Auth Guards by Endpoint

EndpointJWT userAdmin keyNotes
GET /usersAdmin only
GET /users/{user_id}✓ own only403 if jwt.sub != user_id
PATCH /users/{user_id}✓ own onlyAllowed while onboarding
POST /users/{user_id}/complete_onboarding✓ onlyNo admin path
DELETE /users/{user_id}Admin only

Endpoints

GET /users

Admin only. Paginated list of all users. Filter by status.

GET /users/{user_id}

Fetch a user profile. JWT users can only fetch their own record.

PATCH /users/{user_id}

Partial profile update. Send only changed fields. Allowed while onboarding or active.

POST /users/{user_id}/complete_onboarding

Submit required fields and transition status → active. Returns fresh JWT.

DELETE /users/{user_id}

Admin only. Soft-delete a user (status → deactivated).

Request / Response Examples

curl -X POST http://localhost:8080/users/047382910564/complete_onboarding \
  -H 'Authorization: Bearer eyJhbGci...' \
  -H 'Content-Type: application/json' \
  -d '{
    "first_name": "Ravi",
    "last_name": "Kumar",
    "dob": "1990-05-15",
    "gender": "MALE",
    "address": {
      "line1": "42 MG Road",
      "city": "Bengaluru",
      "state": "Karnataka",
      "pincode": "560034",
      "country": "IN"
    }
  }'

Error Codes

CodeHTTPDescription
UE-100500Internal server error
UE-101404User not found
UE-102400Validation error
UE-103500Encryption error