Skip to main content
All endpoints on this page require both a valid Bearer token and the admin role. Requests from non-admin accounts return 403 Forbidden.
These endpoints let administrators inspect and manage user accounts across the platform. They are protected by two middleware layers: authenticate (validates the JWT) and isAdmin (checks role === "admin").

Admin login

POST /api/auth/admin-login Administrators authenticate through a dedicated login endpoint. The returned token carries the admin role and is required to call any of the endpoints below.
email
string
required
Administrator email address.
password
string
required
Administrator password.

Example

curl --request POST \
  --url https://api.hayon.app/api/auth/admin-login \
  --header 'Content-Type: application/json' \
  --data '{
    "email": "[email protected]",
    "password": "supersecretpassword"
  }'

Get all users

GET /api/admin/get-all-users Returns a list of all registered users. Each record includes the user’s profile, subscription plan, account status, and usage data.
Authorization
string
required
Admin Bearer token. Format: Bearer <token>.

Response

message
string
Status message.
data
object[]
Array of user objects.

Example

curl --request GET \
  --url https://api.hayon.app/api/admin/get-all-users \
  --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'
Response
{
  "message": "Users retrieved successfully",
  "data": [
    {
      "_id": "6643f1a2b4e3c21d8a9f0012",
      "email": "[email protected]",
      "name": "Alice Chen",
      "role": "user",
      "isDisabled": false,
      "subscription": {
        "plan": "pro",
        "status": "active",
        "currentPeriodEnd": "2025-04-01T00:00:00.000Z",
        "cancelAtPeriodEnd": false
      },
      "usage": {
        "captionGenerations": 34,
        "postsCreated": 21
      },
      "createdAt": "2024-11-01T09:30:00.000Z",
      "lastLogin": "2025-03-20T14:22:00.000Z"
    }
  ]
}

Update user plan

PATCH /api/admin/update-user-plan/:id Overrides the plan for a specific user. Use this to manually upgrade or downgrade an account outside of the normal Stripe checkout flow.
Changing a user’s plan via this endpoint does not create or modify any Stripe subscription. It only updates the database record. Use with care to avoid billing and access discrepancies.
Authorization
string
required
Admin Bearer token.
id
string
required
The MongoDB _id of the user to update.
plan
string
required
The new plan. Must be exactly free or pro.

Response

message
string
Confirmation message.
data
object

Example

curl --request PATCH \
  --url 'https://api.hayon.app/api/admin/update-user-plan/6643f1a2b4e3c21d8a9f0012?plan=pro' \
  --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...'
Response
{
  "message": "User plan updated successfully",
  "data": {
    "userId": "6643f1a2b4e3c21d8a9f0012",
    "plan": "pro"
  }
}

Update user activity

PATCH /api/admin/update-user-activity/:id Activates or deactivates a user account. Deactivated accounts (isDisabled: true) cannot log in or access the platform.
Authorization
string
required
Admin Bearer token.
id
string
required
The MongoDB _id of the user to update.
activity
boolean
required
true to activate the account, false to deactivate it.

Response

message
string
Confirmation message.
data
object
The full updated user document.

Example

curl --request PATCH \
  --url https://api.hayon.app/api/admin/update-user-activity/6643f1a2b4e3c21d8a9f0012 \
  --header 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...' \
  --header 'Content-Type: application/json' \
  --data '{"activity": false}'
Response
{
  "message": "User activity status updated successfully",
  "data": {
    "_id": "6643f1a2b4e3c21d8a9f0012",
    "email": "[email protected]",
    "name": "Alice Chen",
    "isDisabled": false
  }
}

Build docs developers (and LLMs) love

Get started for freeTalk to us