Skip to main content
Endpoints for managing user data export and account deletion in compliance with GDPR.

Export user data

GET /api/mydata/export
endpoint
Download all user data in JSON format
Export all user data including identities, passkeys, devices, sessions, trust codes, activity logs, and OAuth authorizations. This endpoint supports GDPR data portability requirements. Authentication: Required (session token)

Response

exportedAt
string
ISO 8601 timestamp of when the export was generated
user
object
User account information
identities
array
List of user identities
passkeys
array
List of registered passkeys (WebAuthn credentials)
devices
array
List of trusted devices
sessions
array
Active and expired sessions
trustCodes
array
Trust code metadata (codes themselves are not included for security)
activityLog
array
Complete activity history
authorizedApps
array
OAuth app authorizations

Example

curl https://api.aveid.net/api/mydata/export \
  -H "Cookie: ave_session=YOUR_SESSION_TOKEN"
Response: 
{
  "exportedAt": "2024-03-15T10:30:00.000Z",
  "user": {
    "id": "user_abc123",
    "createdAt": "2024-01-01T00:00:00.000Z",
    "updatedAt": "2024-03-15T10:30:00.000Z",
    "hasSecurityQuestions": false
  },
  "identities": [
    {
      "id": "identity_xyz789",
      "displayName": "Alice Smith",
      "handle": "alice",
      "email": "[email protected]",
      "birthday": "1990-01-01",
      "avatarUrl": "https://...",
      "isPrimary": true,
      "createdAt": "2024-01-01T00:00:00.000Z"
    }
  ],
  "passkeys": [...],
  "devices": [...],
  "sessions": [...],
  "trustCodes": [...],
  "activityLog": [...],
  "authorizedApps": [...]
}
The export is generated on demand and includes all data at the time of the request. The file is downloaded with a filename like ave-data-export-2024-03-15.json.

Delete account

DELETE /api/mydata/
endpoint
Permanently delete user account and all associated data
Permanently delete the user’s account and all associated data. This action is irreversible and complies with GDPR’s “right to erasure” (right to be forgotten). Authentication: Required (session token) Deleted data includes:
  • User account
  • All identities
  • All passkeys
  • All devices
  • All sessions
  • All trust codes
  • All activity logs
  • All OAuth authorizations
  • All signing keys
  • Uploaded files (avatars, banners)

Response

success
boolean
Always true if deletion succeeds
message
string
Confirmation message

Example

curl -X DELETE https://api.aveid.net/api/mydata/ \
  -H "Cookie: ave_session=YOUR_SESSION_TOKEN"
Response: 
{
  "success": true,
  "message": "Your account and all associated data have been permanently deleted."
}
This action is permanent and cannot be undone. All data will be immediately and irreversibly deleted from the database. Users should export their data first if they want to keep a copy.

Privacy & Security

  • GDPR Compliance: Both endpoints support GDPR requirements for data portability and erasure
  • Activity Logging: Data exports and account deletions are logged before execution
  • Authentication Required: Both endpoints require valid session authentication
  • No PII in Logs: Trust codes and sensitive data are excluded or hashed in exports
  • Cascade Deletion: Account deletion automatically removes all related data via database constraints

Next Steps

Activity log

View activity history

Security settings

Manage security options

Build docs developers (and LLMs) love

Get started for freeTalk to us