Self
The /api/self/* endpoints expose the currently authenticated user — their profile, avatar, and active sessions. These are the calls a client makes "for me" rather than "for some user by ID" (the latter live under Admin › Users).
Any authenticated user can read their own profile and manage their own sessions without a special scope. Mutating the profile (updating fields, uploading an avatar, or self-deleting) requires the self:write scope.
Scopes
| Scope | Reach |
|---|---|
| (none) | Reading own profile and sessions, logging out a session. |
self:write | Editing the profile, uploading/deleting the avatar, deleting the account itself. |
See Scopes › Self for the full breakdown.
Endpoints
Read Self
GET /api/self
Returns the profile of the currently authenticated user.
Required scope: none
Response 200 — SelfRead
Replace Self
PUT /api/self
Replaces the authenticated user's profile with the supplied payload. Any omitted field is reset to its default. Use Update Self for partial updates.
Required scope: self:write
Request body — SelfWriteReplace (application/json)
Response 200 — SelfRead
Update Self
PATCH /api/self
Partially updates the authenticated user's profile. Only fields included in the payload are changed.
Required scope: self:write
Request body — SelfWriteUpdate (application/json)
Response 200 — SelfRead
Delete Self (Commit Suicide)
DELETE /api/self
Deletes the authenticated user's account. This is irreversible and ends every active session for the user.
Required scope: self:write
Response 200 — empty payload.
WARNING
This is a destructive, self-service endpoint. Once invoked, the account, sessions, and any owned data subject to cascade deletion are removed. There is no undo.
Upload Avatar
POST /api/self/avatar
Uploads or replaces the authenticated user's avatar image.
Required scope: self:write
Request body — Body_Self-upload_avatar (multipart/form-data) — submit the image bytes as a single file field.
Response 200 — empty payload.
Delete Avatar
DELETE /api/self/avatar
Removes the authenticated user's avatar (the profile falls back to whatever default the tenant defines).
Required scope: self:write
Response 200 — empty payload.
Get Self Sessions
GET /api/self/sessions
Lists every active session for the authenticated user — useful for "where am I signed in" account-security UIs.
Required scope: none
Response 200 — list of session records.
Delete Self Session
DELETE /api/self/sessions/{id}
Revokes a specific session (sign out that device). Revoking the current session has the same effect as calling GET /api/logout.
Required scope: none
Path parameters
| Name | Type | Required | Description |
|---|---|---|---|
id | string | yes | Session ID to revoke. |
Response 200 — empty payload.
See also
- Authentication — how to obtain the access token used by these endpoints.
- User Account — password recovery and verification endpoints (also self-service).
- Admin › Sessions — admin-only view of every user's sessions.
- Admin › Users — admin-only management of any user record.