Skip to main content

DELETE /api/admin/users/:id

Permanently delete a user account and all associated data including transactions, categories, accounts, and budgets. This action cannot be undone.
DESTRUCTIVE ACTION: This permanently deletes the user and ALL their financial data. This operation cannot be reversed. Use with extreme caution.

Authentication

This endpoint requires:
  1. Valid JWT token in the Authorization header
  2. User must have ADMIN role
Authorization: Bearer <admin-token>

Path Parameters

id
string
required
UUID of the user to delete

Response

Returns a success message.
message
string
Confirmation message

Example Request

cURL
curl -X DELETE http://localhost:3000/api/admin/users/user-uuid-123 \
  -H "Authorization: Bearer <admin-token>"
JavaScript
const userId = 'user-uuid-123';
const response = await fetch(`http://localhost:3000/api/admin/users/${userId}`, {
  method: 'DELETE',
  headers: {
    'Authorization': `Bearer ${adminToken}`
  }
});

const result = await response.json();

Example Response

{
  "message": "User and all associated data deleted successfully"
}

Data Cascade

When a user is deleted, the following data is also permanently removed:
  • Email, name, preferences
  • Authentication credentials
  • Avatar and contact information
  • All transactions (income, expenses, transfers)
  • All categories (including custom categories)
  • All accounts (wallets, savings, investments)
  • All budgets and spending targets

Error Responses

{
  "statusCode": 403,
  "message": "Forbidden resource"
}
User does not have ADMIN role.
{
  "statusCode": 404,
  "message": "User not found"
}

{
  "statusCode": 400,
  "message": "Cannot delete admin users"
}
Some implementations may prevent deletion of admin accounts.
{
  "statusCode": 401,
  "message": "Unauthorized"
}

Best Practices

Confirm Before Deletion

Always implement a confirmation dialog in the UI before calling this endpoint

Audit Logging

Log all user deletions with admin ID and timestamp for compliance

Export Data First

Offer users the option to export their data before account deletion

Grace Period

Consider implementing a soft-delete with grace period before permanent deletion

GDPR Compliance

This endpoint can be used to fulfill GDPR “Right to Erasure” (Article 17) requests. When processing data deletion requests:
  • Document the request and admin action
  • Verify the request is legitimate
  • Complete deletion within required timeframe
  • Notify the user of completed deletion

Alternative: Deactivation

Instead of permanent deletion, consider deactivating the account: 
curl -X PATCH http://localhost:3000/api/admin/users/user-uuid-123 \
  -H "Authorization: Bearer <admin-token>" \
  -H "Content-Type: application/json" \
  -d '{"isActive": false}'
This preserves data while preventing login, and can be reversed if needed.

List Users

View all users in the system

Reset Password

Reset a user’s password

Build docs developers (and LLMs) love

Get started for freeTalk to us