Skip to main content
PUT
/
api
/
users
/
{id}
Update User
curl --request PUT \
  --url https://api.example.com/api/users/{id} \
  --header 'Content-Type: application/json' \
  --data '
{
  "email": "<string>",
  "name": "<string>",
  "surname": "<string>",
  "password": "<string>",
  "role": {},
  "status": {},
  "phone": "<string>",
  "address": "<string>",
  "city": "<string>",
  "country": "<string>",
  "postal_code": "<string>",
  "gender": "<string>",
  "birth_date": "<string>",
  "document_type": {},
  "document_number": "<string>",
  "avatar": "<string>",
  "refresh_token": {}
}
'
{
  "user_id": "<string>",
  "email": "<string>",
  "name": "<string>",
  "surname": "<string>",
  "phone": "<string>",
  "address": "<string>",
  "city": "<string>",
  "country": "<string>",
  "postal_code": "<string>",
  "gender": "<string>",
  "birth_date": "<string>",
  "role": {},
  "status": {},
  "avatar": "<string>",
  "document_type": {},
  "document_number": "<string>",
  "refresh_token": {},
  "created_at": "<string>",
  "updated_at": "<string>"
}
Updates an existing user’s information. This endpoint is protected and requires authentication.

Authentication

This endpoint requires a valid JWT token. Include the token in one of the following ways:
  • Authorization header: Authorization: Bearer <token>
  • Cookie: auth_token=<token>

Authorization

Typically requires ADMIN role to update users, or users should only be able to update their own profile.

Path Parameters

id
string
required
The unique identifier (UUID) of the user to update. This corresponds to the user_id field.

Request Body

All fields are optional. Only include the fields you want to update. The request body is merged with the existing user data.
email
string
User’s email address (max 50 characters). Must be unique if changed.
name
string
User’s first name (max 50 characters)
surname
string
User’s last name (max 50 characters)
password
string
New password for the user. Will be hashed using bcrypt with 10 salt rounds before storage.
When updating a password, it is automatically hashed using bcryptjs. Never send or store plain-text passwords.
role
enum
User’s role in the systemPossible values:
  • ADMIN: Administrator with full access
  • USER: Regular user with limited access
status
enum
User’s account statusPossible values:
  • ON: Active account
  • OFF: Inactive/disabled account
phone
string
User’s phone number (max 20 characters)
address
string
Street address (max 255 characters)
city
string
City name (max 50 characters)
country
string
Country name (max 50 characters)
postal_code
string
Postal/ZIP code (max 20 characters)
gender
string
User’s gender (max 10 characters)
birth_date
string
Date of birth in ISO 8601 format (YYYY-MM-DD). Will be converted to a Date object.
document_type
enum
Type of identification documentPossible values:
  • DNI: National Identity Document (Spain)
  • PASSPORT: Passport
  • NIE: Foreign Identity Number (Spain)
document_number
string
Document identification number (max 20 characters)
avatar
string
URL to user’s avatar image (max 255 characters)
refresh_token
string | null
JWT refresh token for maintaining sessions

Example Requests

Update user’s email and phone: 
curl -X PUT https://your-domain.com/api/users/a1b2c3d4-e5f6-7890-abcd-ef1234567890 \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "phone": "+34677889900"
  }'
Change user’s password: 
curl -X PUT https://your-domain.com/api/users/a1b2c3d4-e5f6-7890-abcd-ef1234567890 \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json" \
  -d '{
    "password": "NewSecurePassword456!"
  }'
Deactivate a user account: 
curl -X PUT https://your-domain.com/api/users/a1b2c3d4-e5f6-7890-abcd-ef1234567890 \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json" \
  -d '{
    "status": "OFF"
  }'
Update multiple fields: 
curl -X PUT https://your-domain.com/api/users/a1b2c3d4-e5f6-7890-abcd-ef1234567890 \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "María Carmen",
    "address": "Calle Nueva 456",
    "city": "Sevilla",
    "postal_code": "41001"
  }'

Response

Returns the updated user object without the password field.
user_id
string
Unique identifier for the user (UUID format)
email
string
User’s email address
name
string
User’s first name
surname
string
User’s last name
phone
string
User’s phone number
address
string
Street address
city
string
City name
country
string
Country name
postal_code
string
Postal/ZIP code
gender
string
User’s gender
birth_date
string
Date of birth in ISO 8601 format
role
enum
User’s role (ADMIN or USER)
status
enum
User’s account status (ON or OFF)
avatar
string
URL to user’s avatar image
document_type
enum
Type of identification document
document_number
string
Document identification number
refresh_token
string | null
JWT refresh token
created_at
string
Timestamp when the user was created
updated_at
string
Timestamp when the user was last updated (automatically updated by Prisma)

Success Response (200)

{
  "user_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "email": "[email protected]",
  "name": "María Carmen",
  "surname": "García",
  "phone": "+34677889900",
  "address": "Calle Nueva 456",
  "city": "Sevilla",
  "country": "España",
  "postal_code": "41001",
  "gender": "Femenino",
  "birth_date": "1990-05-15T00:00:00.000Z",
  "role": "USER",
  "status": "ON",
  "avatar": "https://ui-avatars.com/api/?name=María&background=random",
  "document_type": "DNI",
  "document_number": "12345678A",
  "refresh_token": null,
  "created_at": "2024-01-15T10:30:00.000Z",
  "updated_at": "2024-03-05T14:22:00.000Z"
}

Error Responses

400 Bad Request
User ID is missing from the path
{
  "statusCode": 400,
  "statusMessage": "ID requerido"
}
401 Unauthorized
Token is missing, invalid, or expired
{
  "statusCode": 401,
  "statusMessage": "Unauthorized: Token is missing or invalid"
}
500 Internal Server Error
Database error (e.g., user not found, unique constraint violation) or server issue
{
  "statusCode": 500,
  "statusMessage": "Error al actualizar usuario"
}
A 500 error may also occur if the user_id doesn’t exist in the database. Prisma will throw an error when trying to update a non-existent record.

Implementation Details

Password Hashing

If a password is included in the update request, it is automatically hashed before storage: 
if (updateData.password) {
  updateData.password = await bcrypt.hash(updateData.password, 10)
}
Passwords are always hashed using bcryptjs with 10 salt rounds. Never store plain-text passwords.

Date Conversion

If birth_date is included, it’s converted to a JavaScript Date object: 
if (updateData.birth_date) {
  updateData.birth_date = new Date(updateData.birth_date)
}

Automatic Timestamp Update

The updated_at field is automatically updated by Prisma using the @updatedAt directive in the schema. You don’t need to include it in your request.

Partial Updates

This endpoint performs partial updates - only the fields provided in the request body will be updated. All other fields remain unchanged.

Database Transaction

The update is performed as a single atomic operation using Prisma’s update method.

Security Considerations

Consider implementing additional authorization checks:
  • Regular users should only be able to update their own profile
  • Only ADMIN users should be able to change roles or status
  • Validate that users cannot escalate their own privileges

Build docs developers (and LLMs) love

Get started for freeTalk to us