List All Users

GET /api/admin/users

Retrieve a complete list of all users in the system. This endpoint is restricted to administrators only.

This endpoint requires ADMIN role. Regular users will receive a 403 Forbidden error.

Authentication

This endpoint requires:

Valid JWT token in the Authorization header
User must have ADMIN role

Authorization: Bearer <admin-token>

Response

Returns an array of user objects.

users

array

Array of user objects

Show properties

string

User UUID

string

User’s email address

firstName

string

User’s first name

lastName

string

User’s last name

role

string

USER or ADMIN

isActive

boolean

Account active status

subscription

string

FREE or PRO

authProvider

string

LOCAL, GOOGLE, MICROSOFT, or APPLE

emailVerified

string | null

Email verification timestamp

createdAt

string

Account creation timestamp

Last login timestamp

Example Request

cURL

curl -X GET http://localhost:3000/api/admin/users \
  -H "Authorization: Bearer <admin-token>"

JavaScript

const response = await fetch('http://localhost:3000/api/admin/users', {
  method: 'GET',
  headers: {
    'Authorization': `Bearer ${adminToken}`
  }
});

const users = await response.json();

Example Response

[
  {
    "id": "user-uuid-1",
    "email": "[email protected]",
    "firstName": "John",
    "lastName": "Doe",
    "role": "USER",
    "isActive": true,
    "subscription": "FREE",
    "authProvider": "LOCAL",
    "emailVerified": "2024-01-15T10:00:00.000Z",
    "createdAt": "2024-01-15T10:00:00.000Z",
    "lastLogin": "2024-01-20T14:30:00.000Z"
  },
  {
    "id": "user-uuid-2",
    "email": "[email protected]",
    "firstName": "Jane",
    "lastName": "Smith",
    "role": "USER",
    "isActive": true,
    "subscription": "PRO",
    "authProvider": "GOOGLE",
    "emailVerified": "2024-01-16T09:15:00.000Z",
    "createdAt": "2024-01-16T09:15:00.000Z",
    "lastLogin": "2024-01-21T08:45:00.000Z"
  },
  {
    "id": "admin-uuid-3",
    "email": "[email protected]",
    "firstName": "Admin",
    "lastName": "User",
    "role": "ADMIN",
    "isActive": true,
    "subscription": "PRO",
    "authProvider": "LOCAL",
    "emailVerified": "2024-01-01T00:00:00.000Z",
    "createdAt": "2024-01-01T00:00:00.000Z",
    "lastLogin": "2024-01-21T10:00:00.000Z"
  }
]

Error Responses

403 - Forbidden

{
  "statusCode": 403,
  "message": "Forbidden resource"
}

User does not have ADMIN role.

401 - Unauthorized

{
  "statusCode": 401,
  "message": "Unauthorized"
}

Token is missing, invalid, or expired.

Security Considerations

Password hashes are never included in the response
Sensitive fields like reset tokens are excluded
This endpoint is protected by both JWT authentication and role-based authorization
All admin actions should be logged for audit purposes

Use Cases

User Management

Display all users in an admin dashboard

User Analytics

Analyze user registration trends and activity

Subscription Tracking

Monitor FREE vs PRO subscription distribution

Support

Look up user accounts for customer support

Delete User

Permanently delete a user account

Reset Password

Reset a user’s password

Authentication

Transactions

Categories

Accounts

Users

Budgets

Reports

Admin

GET /api/admin/users

Authentication

Response

Example Request

Example Response

Error Responses

Security Considerations

Use Cases

User Management

User Analytics

Subscription Tracking

Support

Delete User

Reset Password

Build docs developers (and LLMs) love

Authentication

Transactions

Categories

Accounts

Users

Budgets

Reports

Admin

​GET /api/admin/users

​Authentication

​Response

​Example Request

​Example Response

​Error Responses

​Security Considerations

​Use Cases

User Management

User Analytics

Subscription Tracking

Support

​Related Endpoints

Delete User

Reset Password

Build docs developers (and LLMs) love

GET /api/admin/users

Authentication

Response

Example Request

Example Response

Error Responses

Security Considerations

Use Cases

Related Endpoints