User Account
The /api/users/* (non-admin) endpoints support self-service account flows that don't require an active session — most notably password recovery — plus the read-only avatar lookup. The contrast with Self is intentional: Self endpoints act on the authenticated user, while these endpoints are used during sign-in problems or before a session exists.
For admin-driven user management (create, list, modify any user, set arbitrary avatars), see Admin › Users.
Scopes
| Scope | Reach |
|---|---|
| (none) | Verifying a recovery token, changing a password with a valid token, fetching an avatar. |
admin | Triggering password recovery on behalf of a user (sends the recovery email). |
Endpoints
Recover Password
POST /api/users/password-recovery
Initiates the password-recovery flow for a user, typically by emailing them a recovery token. This is the admin/operator-facing entry point; for the user-facing redemption side, see Change Password.
Required scope: admin
Request body — PasswordRecovery (application/json)
Response 200 — confirmation payload (no token is returned in the response body; the token is delivered out-of-band, typically via email).
Verify Recovery Token
POST /api/users/verify-recovery-token
Checks whether a recovery token (received via email) is still valid before prompting the user to type a new password. Useful for showing a "this link has expired" message early in the flow.
Required scope: none
Request body — TokenRequest (application/json)
Response 200 — verification result.
Change Password
POST /api/users/change-password
Resets the password for the user identified by a valid recovery token. The user-facing redemption step of the recovery flow.
Required scope: none
Request body — PasswordReset (application/json) — the token plus the new password.
Response 200 — confirmation payload.
TIP
After a successful password change, existing sessions for the user remain valid unless explicitly revoked. To force a sign-out everywhere, follow with DELETE /api/admin/sessions/{id} for each active session, or implement a UX that prompts the user to do so from GET /api/self/sessions.
Get User Avatar
GET /api/users/{id}/avatar
Fetches a user's avatar by ID. Available only when the platform is running in development or debug mode — production deployments serve avatars through cached static URLs instead.
Required scope: none
Path parameters
| Name | Type | Required | Description |
|---|---|---|---|
id | string | yes | User's ID. |
Response 200 — the avatar image bytes (or a redirect to its storage URL, depending on the deployment).
See also
- Self — endpoints for the currently authenticated user.
- Admin › Users — admin-only user management (create, delete, unlock, set avatars on any user).
- Authentication — sign-in flows including Google OAuth.