This document describes the user profile and organization management endpoints added to the CodeQual API.
All endpoints require Bearer token authentication. Include the token in the Authorization header:
Authorization: Bearer <access_token>
GET /api/users/profileReturns the current user's profile including organization memberships.
Response:
{
"profile": {
"id": "uuid",
"user_id": "uuid",
"email": "user@example.com",
"full_name": "John Doe",
"avatar_url": "https://...",
"bio": "Software engineer",
"location": "San Francisco",
"website": "https://example.com",
"company": "ACME Corp",
"preferred_language": "en",
"theme": "light",
"email_notifications": true,
"organizations": {...},
"memberships": [...]
}
}PUT /api/users/profileUpdates the user's profile information.
Request Body:
{
"full_name": "John Doe",
"bio": "Senior Software Engineer",
"location": "San Francisco, CA",
"website": "https://johndoe.com",
"company": "ACME Corp"
}POST /api/users/avatarUploads a new avatar image. Use multipart/form-data with field name "avatar".
Supported formats: JPEG, PNG, GIF, WebP Max size: 5MB
PATCH /api/users/settingsUpdates user preferences and settings.
Request Body:
{
"preferred_language": "en",
"theme": "dark",
"email_notifications": false
}DELETE /api/users/accountPermanently deletes the user account. Requires confirmation.
Request Body:
{
"confirmation": "DELETE_MY_ACCOUNT"
}GET /api/users/repositories?provider=githubReturns the user's accessible repositories.
Query Parameters:
provider(optional): Filter by provider (github, gitlab)
POST /api/organizationsCreates a new organization.
Request Body:
{
"name": "My Organization",
"slug": "my-org",
"allowed_email_domains": ["example.com"]
}GET /api/organizationsReturns all organizations the user is a member of.
GET /api/organizations/:organizationIdReturns detailed information about an organization.
PUT /api/organizations/:organizationIdUpdates organization settings. Requires admin permissions.
Request Body:
{
"name": "Updated Organization Name",
"allowed_email_domains": ["example.com", "company.com"],
"github_org_name": "my-github-org",
"gitlab_group_name": "my-gitlab-group"
}GET /api/organizations/:organizationId/membersReturns all members of an organization.
POST /api/organizations/:organizationId/membersInvites a new member to the organization. Requires admin permissions.
Request Body:
{
"email": "newmember@example.com",
"role": "member"
}Roles: owner, admin, member
PUT /api/organizations/:organizationId/members/:userIdUpdates a member's role and permissions. Requires admin permissions.
Request Body:
{
"role": "admin",
"can_manage_billing": false,
"can_manage_members": true,
"can_manage_settings": true
}DELETE /api/organizations/:organizationId/members/:userIdRemoves a member from the organization. Requires admin permissions.
POST /api/organizations/:organizationId/leaveAllows a member to leave an organization.
All endpoints return standard error responses:
{
"error": "Error message"
}Common status codes:
- 400: Bad Request (validation errors)
- 401: Unauthorized (invalid/missing token)
- 403: Forbidden (insufficient permissions)
- 404: Not Found
- 500: Internal Server Error
-
Magic Link Authentication: Since Magic Link is implemented, there's no need for password reset or email verification endpoints.
-
Avatar Storage: Avatar images are stored in Supabase Storage buckets.
-
Organization Ownership: Organization owners cannot be removed or have their role changed. They must transfer ownership first.
-
Rate Limiting: These endpoints inherit the global rate limiting configured for the API.
-
RBAC: Role-based access control is enforced at both the database (RLS) and API levels.