Skip to main content

Overview

The Account API handles user registration, login, profile management, and password operations.

Registration

Register New User

Create a new user account.

POST /api/account/register

Rate limited. May require captcha verification and email confirmation based on platform settings.
userName
string
required
Unique username (3-15 characters)
email
string
required
Valid email address
password
string
required
User password (may require encryption)
{
  "userName": "newuser",
  "email": "[email protected]",
  "password": "encrypted_password_string"
}
Email domain restrictions may apply. Check platform configuration for allowed domains.

Verify Email

Confirm email address using verification token.

POST /api/account/verify

email
string
required
Base64-encoded email address
token
string
required
Base64-encoded verification token from email
{
  "email": "bmV3dXNlckBleGFtcGxlLmNvbQ==",
  "token": "dmVyaWZpY2F0aW9uX3Rva2VuX2hlcmU="
}
After successful verification, the user is automatically logged in.

Authentication

See the Authentication page for detailed login and logout procedures.

Profile Management

Get Profile

Retrieve current user’s profile information.

GET /api/account/profile

Requires User authentication.
{
  "id": "user-guid",
  "userName": "currentuser",
  "email": "[email protected]",
  "bio": "CTF enthusiast",
  "phone": "+1234567890",
  "realName": "John Doe",
  "stdNumber": "STU12345",
  "avatar": "/assets/avatars/user123.jpg",
  "role": "User",
  "emailConfirmed": true,
  "registerTimeUtc": "2025-01-15T10:00:00Z",
  "lastSignedInUtc": "2026-03-01T08:00:00Z",
  "lastVisitedUtc": "2026-03-01T12:00:00Z"
}

Update Profile

Update user information.

PUT /api/account/update

userName
string
New username
bio
string
User bio/description
phone
string
Phone number
realName
string
Real name
stdNumber
string
Student number or identifier
{
  "userName": "newusername",
  "bio": "Updated bio text",
  "phone": "+1987654321"
}
Changing username may be restricted based on platform policy.

Update Avatar

Upload a new profile avatar.

PUT /api/account/avatar

file
file
required
Image file (max 3MB, automatically resized to 300x300)
"/assets/avatars/newavatar123.jpg"

Password Management

Change Password

Update account password (requires current password).

PUT /api/account/changepassword

old
string
required
Current password (encrypted)
new
string
required
New password (encrypted)
{
  "old": "encrypted_old_password",
  "new": "encrypted_new_password"
}

Request Password Reset

Request a password reset email.

POST /api/account/recovery

Rate limited. May require captcha verification.
email
string
required
Registered email address
{
  "email": "[email protected]"
}

Reset Password

Reset password using email token.

POST /api/account/passwordreset

email
string
required
Base64-encoded email address
rToken
string
required
Base64-encoded reset token from email
password
string
required
New password (encrypted)
{
  "email": "dXNlckBleGFtcGxlLmNvbQ==",
  "rToken": "cmVzZXRfdG9rZW5faGVyZQ==",
  "password": "encrypted_new_password"
}

Email Management

Change Email

Request email address change.

PUT /api/account/changeemail

Rate limited. Requires email verification for the new address.
newMail
string
required
New email address
{
  "newMail": "[email protected]"
}
Email domain restrictions apply. The new email must be from an allowed domain.

Confirm Email Change

Confirm new email address using verification token.

POST /api/account/mailchangeconfirm

email
string
required
Base64-encoded new email address
token
string
required
Base64-encoded verification token
{
  "email": "bmV3ZW1haWxAZXhhbXBsZS5jb20=",
  "token": "Y2hhbmdlX2VtYWlsX3Rva2Vu"
}

Configuration Notes

When EmailConfirmationRequired is enabled:
  • Registration sends verification email
  • Users cannot log in until email is confirmed
  • Email URL format: /account/verify?token={token}&email={email}
When ActiveOnRegister is disabled and EmailConfirmationRequired is disabled:
  • New accounts require manual admin approval
  • Users cannot log in until approved
  • Admins must change status via /api/admin/users/{id}
If the platform has ApiEncryption enabled:
  • All password fields must be encrypted client-side
  • Use the platform’s public key for encryption
  • Check /api/admin/config for encryption status
Platform may restrict registration to specific email domains:
  • Configured via EmailDomainList in account policy
  • Format: comma-separated list (e.g., “edu,org.edu”)
  • Empty list allows all domains

Development Mode

In development mode, verification and reset links are logged instead of sent via email. Check server logs for tokens.

Next Steps

Authentication

Login and session management

Team API

Create and join teams

Build docs developers (and LLMs) love

Get started for freeTalk to us