User Profile Management Service

Author: Josh S. Sakweli, Backend Lead Team
Last Updated: ~~2025-09-23~~2026-05-19
Version: v1.0

Base URL: {base_url}/api/v1/profile

Short Description: The ~~User~~Profile API manages a user's social presence — what others see when they visit your page. This includes viewing your own full profile, looking up other users by ID or username, and updating your display information such as name, bio, location, and profile pictures.

Why Account and Profile ~~Management~~Are ~~Service~~Separate:

~~handles~~

~~user~~
Profile = how you appear to others (display name, bio, location, picture, social stats). Account = who you are in the system (credentials, security, identity verification).

Profile operations are social in nature — some endpoints (/id/{userId}, /u/{username}) are intentionally viewable by any authenticated user, not just the owner. Account operations carry security implications and are always strictly private. By separating the two, we can apply the right access rules to each: profile ~~updates,~~data ~~security~~can ~~settings,~~be shared, account ~~verification,~~data ~~password~~cannot. ~~changes,~~Anything ~~and~~that ~~account~~touches ~~management~~credentials ~~for~~(password, 2FA, email, phone) belongs in the ~~NextGate~~Account ~~social~~API, ~~commerce~~not ~~platform.~~here.
~~This service provides comprehensive profile management with security controls, two-factor authentication, and account verification capabilities.~~

Hints:

~~All~~GET endpoints/me ~~require~~requires ~~JWT~~authentication; ~~Bearer~~it ~~token~~returns ~~authentication~~private fields like email, phoneNumber, and securityStrength only visible to the account owner
~~Password~~GET changes trigger automatic logout/id/{userId} and ~~require~~GET re-authentication/u/{username} work for both authenticated and unauthenticated callers — authenticated callers additionally receive relationship info (isFollowing, isBlocked, etc.)
~~Username~~PUT changes/update ~~require~~only ~~immediate~~accepts ~~re-login~~social/display ~~with~~fields ~~new~~— ~~credentials~~

~~Email/~~change username use POST /api/v1/account/username/change; to change email or phone ~~updates~~use ~~require~~the ~~OTP~~Account ~~verification~~Linking ~~for security~~API
Profile picture URLs must be ~~valid~~publicly ~~HTTPS~~accessible https:// image URLs ~~(max~~ending in .jpg, .jpeg, .png, .gif, or .webp

Maximum 5 ~~pictures)~~

profile

~~Security~~picture ~~strength is calculated based on verification status and 2FA~~

~~Account deactivation locks the account instead of deleting data~~

~~Rate limiting applies to OTP verification requests (5~~URLs per ~~10-minute window)~~account

EndpointsStandard Response Format

1.

Success Get Current User Profile

~~Purpose~~~~: Retrieve complete profile information for the authenticated user~~

~~Endpoint~~: ~~GET~~ https://apinexgate.glueauth.com/api/v1/profile/me

~~Access Level~~~~: 🔒 Protected (Requires JWT Bearer token)~~

~~Authentication~~~~: Bearer Token (JWT access token required)~~

~~Request Headers~~:

~~Header~~	~~Type~~	~~Required~~	~~Description~~
~~Authorization~~	~~string~~	~~Yes~~	~~Bearer {access_token}~~
~~Content-Type~~	~~string~~	~~Yes~~	~~Must be "application/json"~~

Response ~~JSON Sample~~:

Structure

{
  "success": true,
  "httpStatus": "OK",
  "message": "ProfileOperation retrievedcompleted successfully",
  "action_time": "2025-09-23T10:30:00"45",
  "data": {}
}

Error Response Structure

{
  "id": "123e4567-e89b-12d3-a456-426614174000",
    "userName": "johndoe-a1B2c3D",
    "firstName": "John",
    "lastName": "Doe",
    "middleName": "Michael",
    "email": "john.doe@example.com",
    "phoneNumber": "+255712345678",
    "isVerified": true,
    "isEmailVerified": true,
    "isPhoneVerified"success": false,
  "isTwoFactorEnabled": false,
    "isAccountLocked": false,
    "createdAt"httpStatus": "2025-09-23T10:00:00"BAD_REQUEST",
  "editedAt"message": "Error description",
  "action_time": "2025-09-23T10:30:00"45",
  "roles": ["ROLE_NORMAL_USER"],
    "profilePictureUrls": [
      "https://files.nextgate.com/bucket-uuid/profile/avatar1.jpg",
      "https://files.nextgate.com/bucket-uuid/profile/avatar2.jpg"
    ],
    "securityStrength": {
      "score": 65,
      "level"data": "MEDIUM",Error "description": "Your account security is good but can be improved",
      "recommendations": [
        "Verify your phone number",
        "Enable two-factor authentication"
      ]
    }
  }
}

Standard Response Fields:

~~indicating~~ onsuccess,errordetails

Field Type Description

success ~~Boolean~~boolean true ~~operation~~for ~~success~~successful operations, false for errors

httpStatus string HTTP status ~~code~~name as(OK, ~~string~~BAD_REQUEST, NOT_FOUND, etc.)

message ~~Success~~string Human-readable message describing the result

action_time string ISO 8601 timestamp of when the response ~~generation~~was generated

~~data.id~~data ~~Unique user identifier (UUID)~~
~~data.userName~~object/string ~~User's~~Response ~~unique~~payload ~~username~~

~~data.firstName~~ ~~User's~~on ~~first name~~
~~data.lastName~~ ~~User's last name~~
~~data.middleName~~ ~~User's middle name~~
~~data.email~~ ~~User's email address~~
~~data.phoneNumber~~ ~~User's phone number in international format~~
~~data.isVerified~~ ~~Overall account verification status~~
~~data.isEmailVerified~~ ~~Email verification status~~
~~data.isPhoneVerified~~ ~~Phone number verification status~~
~~data.isTwoFactorEnabled~~ ~~Two-factor authentication status~~
~~data.isAccountLocked~~ ~~Account lock status~~
~~data.createdAt~~ ~~Account creation timestamp~~
~~data.editedAt~~ ~~Last profile modification timestamp~~
~~data.roles~~ ~~Array of user roles/permissions~~
~~data.profilePictureUrls~~ ~~Array of profile picture URLs (max 5)~~
~~data.securityStrength.score~~ ~~Security score from 0-100~~
~~data.securityStrength.level~~ ~~Security level (WEAK, MEDIUM, STRONG, VERY_WEAK)~~
~~data.securityStrength.description~~ ~~Human-readable security assessment~~
~~data.securityStrength.recommendations~~ ~~Array of security improvement suggestions~~failure

Standard Error ~~Responses~~:
Types

401400 UnauthorizedBAD_REQUEST: ~~Missing~~Invalid request data or business rule violation

401 UNAUTHORIZED: Missing, expired, or invalid JWT token

404 Not FoundNOT_FOUND: User ~~account~~ not found

500422 Internal Server ErrorUNPROCESSABLE_ENTITY: ~~Server-side processing~~Validation errors with field-level detail

500 INTERNAL_SERVER_ERROR: Unexpected server error

2.Endpoints
~~Update~~
1. ~~Basic~~Get My Profile ~~Information~~

Purpose: ~~Update~~Returns ~~user's~~the ~~basic~~full profile ~~information~~of the currently authenticated user, including ~~username,~~private ~~names,~~fields (email, phone, ~~and profile pictures~~

~~Endpoint~~: ~~PUT~~ https://apinexgate.glueauth.com/api/v1/profile/update-basic-info

~~Access Level~~~~: 🔒 Protected (Requires JWT Bearer token) ⚠️~~ ~~Username changes require re-authentication~~

~~Authentication~~~~: Bearer Token (JWT access token required)~~

~~Request Headers~~:

~~Header~~ ~~Type~~ ~~Required~~ ~~Description~~
~~Authorization~~ ~~string~~ ~~Yes~~ ~~Bearer {access_token}~~
~~Content-Type~~ ~~string~~ ~~Yes~~ ~~Must be "application/json"~~

~~Request JSON Sample~~:

{ "userName": "johnsmith", "firstName": "John", "lastName": "Smith", "middleName": "Michael", "email": "john.smith@example.com", "phoneNumber": "+255723456789", "profilePictureUrls": [ "https://files.nextgate.com/bucket-uuid/profile/new-avatar.jpg", "https://files.nextgate.com/bucket-uuid/profile/banner.jpg" ] }

~~Request Body Parameters~~:

~~Parameter~~ ~~Type~~ ~~Required~~ ~~Description~~ ~~Validation~~
~~userName~~ ~~string~~ No ~~New username (triggers re-authentication if changed)~~ ~~3-30 chars, start with letter, alphanumeric + underscore/hyphen only~~
~~firstName~~ ~~string~~ No ~~User's first name~~ ~~1-30 characters~~
~~lastName~~ ~~string~~ No ~~User's last name~~ ~~1-30 characters~~
~~middleName~~ ~~string~~ No ~~User's middle name~~ ~~Max 30 characters~~
~~email~~ ~~string~~ No ~~User's email address (requires re-~~verification ~~if changed)~~ ~~Valid email format~~
~~phoneNumber~~ ~~string~~ No ~~Phone number (requires re-verification if changed)~~ ~~E.164 international format (+1234567890)~~
~~profilePictureUrls~~ ~~array~~ No ~~Array of profile picture URLs~~ ~~Max 5 URLs, valid HTTPS image URLs only~~

~~Response JSON Sample~~:

{ "success": true, "httpStatus": "OK", "message": "Username changed successfully! You will be logged out automatically. Please login again with your new username.", "action_time": "2025-09-23T10:35:00", "data": { "id": "123e4567-e89b-12d3-a456-426614174000", "userName": "johnsmith", "firstName": "John", "lastName": "Smith", "middleName": "Michael", "email": "john.smith@example.com", "phoneNumber": "+255723456789", "isVerified": true, "isEmailVerified": false, "isPhoneVerified": false, "isTwoFactorEnabled": false, "isAccountLocked": false, "createdAt": "2025-09-23T10:00:00", "editedAt": "2025-09-23T10:35:00", "roles": ["ROLE_NORMAL_USER"], "profilePictureUrls": [ "https://files.nextgate.com/bucket-uuid/profile/new-avatar.jpg", "https://files.nextgate.com/bucket-uuid/profile/banner.jpg" ], "securityStrength": { "score": 40, "level": "WEAK", "description": "Your accountstatus, security needs improvement", "recommendations": [ "Verify your email address", "Verify your phone number", "Enable two-factor authentication" ] } } }

~~Response Fields~~:

~~Field~~ ~~Description~~
~~success~~ ~~Boolean indicating operation success~~
~~httpStatus~~ ~~HTTP status code as string~~
~~message~~ ~~Success message (special message if username changed)~~
~~action_time~~ ~~ISO 8601 timestamp of response generation~~
~~data~~ ~~Updated UserProfileResponse object with complete profile data~~

~~Error Responses~~:

400 Bad Request~~: Invalid input data or validation errors~~

401 Unauthorized~~: Missing or invalid JWT token~~

409 Conflict~~: Username or email already taken~~

422 Unprocessable Entity~~: Validation errors (reserved username, invalid format)~~

500 Internal Server Error~~: Server-side processing errors~~

~~3. Change Password~~

~~Purpose~~~~: Change user's password with current password verification~~strength) and ~~strength~~social ~~validation~~

~~Endpoint~~: ~~PUT~~ https://apinexgate.glueauth.com/api/v1/profile/change-password

~~Access Level~~~~: 🔒 Protected~~stats (~~Requires~~followers, ~~JWT~~posts, ~~Bearer~~shops, ~~token) ⚠️~~ ~~Triggers automatic logout~~

~~Authentication~~~~: Bearer Token (JWT access token required)~~

~~Request Headers~~:

~~Header~~ ~~Type~~ ~~Required~~ ~~Description~~
~~Authorization~~ ~~string~~ ~~Yes~~ ~~Bearer {access_token}~~
~~Content-Type~~ ~~string~~ ~~Yes~~ ~~Must be "application/json"~~

~~Request JSON Sample~~:

{ "currentPassword": "OldPassword123!", "newPassword": "NewSecurePass456@", "confirmPassword": "NewSecurePass456@" }

~~Request Body Parameters~~:

~~Parameter~~ ~~Type~~ ~~Required~~ ~~Description~~ ~~Validation~~
~~currentPassword~~ ~~string~~ ~~Yes~~ ~~User's current password~~ ~~Must match current password~~
~~newPassword~~ ~~string~~ ~~Yes~~ ~~New password~~ ~~Min 8 chars, uppercase, lowercase, digit, special character~~
~~confirmPassword~~ ~~string~~ ~~Yes~~ ~~Confirmation of new password~~ ~~Must match newPassword exactly~~

~~Response JSON Sample~~:

{ "success": true, "httpStatus": "OK", "message": "Password changed successfully", "action_time": "2025-09-23T10:40:00", "data": null }

~~Response Fields~~:

~~Field~~ ~~Description~~
~~success~~ ~~Boolean indicating operation success~~
~~httpStatus~~ ~~HTTP status code as string~~
~~message~~ ~~Success message confirming password change~~
~~action_time~~ ~~ISO 8601 timestamp of response generation~~
~~data~~ ~~Always null for password change operations~~

~~Error Responses~~:

400 Bad Request~~: Invalid password format or passwords don't match~~

401 Unauthorized~~: Missing or invalid JWT token or incorrect current password~~

422 Unprocessable Entity~~: Password strength requirements not met~~

500 Internal Server Error~~: Server-side processing errors~~

~~4. Validate Username Availability~~

~~Purpose~~~~: Check if a username is available and valid, with suggestions if taken~~

~~Endpoint~~: ~~GET~~ https://apinexgate.glueauth.com/api/v1/profile/validate-username/{username}

~~Access Level~~~~: 🔒 Protected (Requires JWT Bearer token)~~

~~Authentication~~~~: Bearer Token (JWT access token required)~~

~~Request Headers~~:

~~Header~~ ~~Type~~ ~~Required~~ ~~Description~~
~~Authorization~~ ~~string~~ ~~Yes~~ ~~Bearer {access_token}~~
~~Content-Type~~ ~~string~~ ~~Yes~~ ~~Must be "application/json"~~

~~Path Parameters~~:

~~Parameter~~ ~~Type~~ ~~Required~~ ~~Description~~ ~~Validation~~
~~username~~ ~~string~~ ~~Yes~~ ~~Username to validate~~ ~~3-30 characters, alphanumeric + underscore/hyphen~~

~~Response JSON Sample~~:

{ "success": true, "httpStatus": "OK", "message": "Username validation completed", "action_time": "2025-09-23T10:45:00", "data": { "available": false, "valid": true, "message": "This username is already taken", "suggestions": [ "johnsmith1", "johnsmith2", "johnsmithuser", "johnsmith2024", "johnsmithpro" ], "details": { "correctLength": true, "validFormat": true, "notReserved": true, "notTaken": false, "formatRequirement": "Username must start with a letter and be 3-30 characters long" } } }

~~Response Fields~~:

~~Field~~ ~~Description~~
~~success~~ ~~Boolean indicating operation success~~
~~httpStatus~~ ~~HTTP status code as string~~
~~message~~ ~~Success message~~
~~action_time~~ ~~ISO 8601 timestamp of response generation~~
~~data.available~~ ~~Boolean indicating if username is available for use~~
~~data.valid~~ ~~Boolean indicating if username format is valid~~
~~data.message~~ ~~Detailed validation message~~
~~data.suggestions~~ ~~Array of alternative username suggestions (if taken)~~
~~data.details.correctLength~~ ~~Boolean indicating if length requirements are met~~
~~data.details.validFormat~~ ~~Boolean indicating if format requirements are met~~
~~data.details.notReserved~~ ~~Boolean indicating if username is not reserved~~
~~data.details.notTaken~~ ~~Boolean indicating if username is not already taken~~
~~data.details.formatRequirement~~ ~~String describing format requirements~~

~~Error Responses~~:

400 Bad Request~~: Invalid username parameter~~

401 Unauthorized~~: Missing or invalid JWT token~~

500 Internal Server Error~~: Server-side processing errors~~

~~5. Request Email Verification~~

~~Purpose~~~~: Send OTP to user's email for email verification~~

~~Endpoint~~: ~~POST~~ https://apinexgate.glueauth.com/api/v1/profile/request-email-verification

~~Access Level~~~~: 🔒 Protected (Requires JWT Bearer token)~~

~~Authentication~~~~: Bearer Token (JWT access token required)~~

~~Request Headers~~:

~~Header~~ ~~Type~~ ~~Required~~ ~~Description~~
~~Authorization~~ ~~string~~ ~~Yes~~ ~~Bearer {access_token}~~
~~Content-Type~~ ~~string~~ ~~Yes~~ ~~Must be "application/json"~~

~~Response JSON Sample~~:

{ "success": true, "httpStatus": "OK", "message": "Email verification OTP sent successfully", "action_time": "2025-09-23T10:50:00", "data": { "tempToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.events)..", "message": "Verification email sent successfully", "expireAt": "2025-09-23T11:00:00", "email": "jo***@example.com" } }

~~Response Fields~~:

~~Field~~ ~~Description~~
~~success~~ ~~Boolean indicating operation success~~
~~httpStatus~~ ~~HTTP status code as string~~
~~message~~ ~~Success message~~
~~action_time~~ ~~ISO 8601 timestamp of response generation~~
~~data.tempToken~~ ~~JWT temporary token for OTP verification~~
~~data.message~~ ~~Specific message about email sending~~
~~data.expireAt~~ ~~ISO 8601 timestamp when temp token expires~~
~~data.email~~ ~~Masked email address for privacy~~

~~Error Responses~~:

400 Bad Request~~: Email already verified~~

401 Unauthorized~~: Missing or invalid JWT token~~

429 Too Many Requests~~: Rate limit exceeded for OTP requests~~

500 Internal Server Error~~: Email sending or server errors~~

~~6. Verify Email~~

~~Purpose~~~~: Complete email verification using OTP code~~

~~Endpoint~~: ~~POST~~ https://apinexgate.glueauth.com/api/v1/profile/verify-email

~~Access Level~~~~: 🔒 Protected (Requires JWT Bearer token)~~

~~Authentication~~~~: Bearer Token (JWT access token required)~~

~~Request Headers~~:

~~Header~~ ~~Type~~ ~~Required~~ ~~Description~~
~~Authorization~~ ~~string~~ ~~Yes~~ ~~Bearer {access_token}~~
~~Content-Type~~ ~~string~~ ~~Yes~~ ~~Must be "application/json"~~

~~Request JSON Sample~~:

{ "tempToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...", "otpCode": "123456" }

~~Request Body Parameters~~:

~~Parameter~~ ~~Type~~ ~~Required~~ ~~Description~~ ~~Validation~~
~~tempToken~~ ~~string~~ ~~Yes~~ ~~Temporary token from email verification request~~ ~~Must be valid non-expired temp token~~
~~otpCode~~ ~~string~~ ~~Yes~~ ~~6-digit OTP code from email~~ ~~Must be exactly 6 digits (\d{6})~~

~~Response JSON Sample~~:

{ "success": true, "httpStatus": "OK", "message": "Email verified successfully", "action_time": "2025-09-23T10:55:00", "data": { "id": "123e4567-e89b-12d3-a456-426614174000", "userName": "johndoe-a1B2c3D", "firstName": "John", "lastName": "Doe", "middleName": "Michael", "email": "john.doe@example.com", "phoneNumber": "+255712345678", "isVerified": true, "isEmailVerified": true, "isPhoneVerified": false, "isTwoFactorEnabled": false, "isAccountLocked": false, "createdAt": "2025-09-23T10:00:00", "editedAt": "2025-09-23T10:55:00", "roles": ["ROLE_NORMAL_USER"], "profilePictureUrls": [], "securityStrength": { "score": 75, "level": "MEDIUM", "description": "Your account security is good but can be improved", "recommendations": [ "Verify your phone number", "Enable two-factor authentication" ] } } }

~~Response Fields~~:

~~Field~~ ~~Description~~
~~success~~ ~~Boolean indicating operation success~~
~~httpStatus~~ ~~HTTP status code as string~~
~~message~~ ~~Success message confirming email verification~~
~~action_time~~ ~~ISO 8601 timestamp of response generation~~
~~data~~ ~~Updated UserProfileResponse object with email verification status~~

~~Error Responses~~:

400 Bad Request~~: Invalid OTP format or missing required fields~~

401 Unauthorized~~: Missing or invalid JWT token or temp token~~

422 Unprocessable Entity~~: OTP verification failed or token expired~~

500 Internal Server Error~~: Server-side processing errors~~

~~7. Get Security Information~~

~~Purpose~~~~: Retrieve detailed security settings and account security strength~~

~~Endpoint~~: ~~GET~~ https://apinexgate.glueauth.com/api/v1/profile/security-info

~~Access Level~~~~: 🔒 Protected (Requires JWT Bearer token)~~

~~Authentication~~~~: Bearer Token (JWT access token required)~~

~~Request Headers~~:

~~Header~~ ~~Type~~ ~~Required~~ ~~Description~~
~~Authorization~~ ~~string~~ ~~Yes~~ ~~Bearer {access_token}~~
~~Content-Type~~ ~~string~~ ~~Yes~~ ~~Must be "application/json"~~

~~Response JSON Sample~~:

{ "success": true, "httpStatus": "OK", "message": "Security information retrieved successfully", "action_time": "2025-09-23T11:00:00", "data": { "isEmailVerified": true, "isPhoneVerified": false, "isTwoFactorEnabled": false, "isAccountLocked": false, "lastPasswordChange": "2025-09-23T10:40:00", "accountCreatedAt": "2025-09-23T10:00:00", "roles": ["ROLE_NORMAL_USER"], "securityStrength": { "score": 75, "level": "MEDIUM", "description": "Your account security is good but can be improved", "recommendations": [ "Verify your phone number", "Enable two-factor authentication" ] } } }

~~Response Fields~~:

~~Field~~ ~~Description~~
~~success~~ ~~Boolean indicating operation success~~
~~httpStatus~~ ~~HTTP status code as string~~
~~message~~ ~~Success message~~
~~action_time~~ ~~ISO 8601 timestamp of response generation~~
~~data.isEmailVerified~~ ~~Email verification status~~
~~data.isPhoneVerified~~ ~~Phone verification status~~
~~data.isTwoFactorEnabled~~ ~~Two-factor authentication status~~
~~data.isAccountLocked~~ ~~Account lock status~~
~~data.lastPasswordChange~~ ~~Timestamp of last password change~~
~~data.accountCreatedAt~~ ~~Account creation timestamp~~
~~data.roles~~ ~~Array of user roles/permissions~~
~~data.securityStrength~~ ~~Detailed security strength analysis~~

~~Error Responses~~:

401 Unauthorized~~: Missing or invalid JWT token~~

404 Not Found~~: User account not found~~

500 Internal Server Error~~: Server-side processing errors~~

~~8. Enable Two-Factor Authentication~~

~~Purpose~~~~: Enable two-factor authentication for enhanced account security~~

~~Endpoint~~: ~~POST~~ https://apinexgate.glueauth.com/api/v1/profile/enable-2fa

~~Access Level~~~~: 🔒 Protected (Requires JWT Bearer token)~~

~~Authentication~~~~: Bearer Token (JWT access token required)~~

~~Request Headers~~:

~~Header~~ ~~Type~~ ~~Required~~ ~~Description~~
~~Authorization~~ ~~string~~ ~~Yes~~ ~~Bearer {access_token}~~
~~Content-Type~~ ~~string~~ ~~Yes~~ ~~Must be "application/json"~~

~~Request JSON Sample~~:

{ "password": "CurrentPassword123!" }

~~Request Body Parameters~~:

~~Parameter~~ ~~Type~~ ~~Required~~ ~~Description~~ ~~Validation~~
~~password~~ ~~string~~ ~~Yes~~ ~~User's current password for verification~~ ~~Must match current password~~

~~Response JSON Sample~~:

{ "success": true, "httpStatus": "OK", "message": "Two-factor authentication enabled successfully", "action_time": "2025-09-23T11:05:00", "data": null }

~~Response Fields~~:

~~Field~~ ~~Description~~
~~success~~ ~~Boolean indicating operation success~~
~~httpStatus~~ ~~HTTP status code as string~~
~~message~~ ~~Success message confirming 2FA enablement~~
~~action_time~~ ~~ISO 8601 timestamp of response generation~~
~~data~~ ~~Always null for 2FA operations~~

~~Error Responses~~:

400 Bad Request~~: Missing password or 2FA already enabled~~

401 Unauthorized~~: Missing or invalid JWT token or incorrect password~~

422 Unprocessable Entity~~: Invalid password verification~~

500 Internal Server Error~~: Server-side processing errors~~

~~9. Disable Two-Factor Authentication~~

~~Purpose~~~~: Disable two-factor authentication with password verification~~

~~Endpoint~~: ~~POST~~ https://apinexgate.glueauth.com/api/v1/profile/disable-2fa

~~Access Level~~~~: 🔒 Protected (Requires JWT Bearer token)~~

~~Authentication~~~~: Bearer Token (JWT access token required)~~

~~Request Headers~~:

~~Header~~ ~~Type~~ ~~Required~~ ~~Description~~
~~Authorization~~ ~~string~~ ~~Yes~~ ~~Bearer {access_token}~~
~~Content-Type~~ ~~string~~ ~~Yes~~ ~~Must be "application/json"~~

~~Request JSON Sample~~:

{ "password": "CurrentPassword123!" }

~~Request Body Parameters~~:

~~Parameter~~ ~~Type~~ ~~Required~~ ~~Description~~ ~~Validation~~
~~password~~ ~~string~~ ~~Yes~~ ~~User's current password for verification~~ ~~Must match current password~~

~~Response JSON Sample~~:

{ "success": true, "httpStatus": "OK", "message": "Two-factor authentication disabled successfully", "action_time": "2025-09-23T11:10:00", "data": null }

~~Response Fields~~:

~~Field~~ ~~Description~~
~~success~~ ~~Boolean indicating operation success~~
~~httpStatus~~ ~~HTTP status code as string~~
~~message~~ ~~Success message confirming 2FA disablement~~
~~action_time~~ ~~ISO 8601 timestamp of response generation~~
~~data~~ ~~Always null for 2FA operations~~

~~Error Responses~~:

400 Bad Request~~: Missing password or 2FA not enabled~~

401 Unauthorized~~: Missing or invalid JWT token or incorrect password~~

422 Unprocessable Entity~~: Invalid password verification~~

500 Internal Server Error~~: Server-side processing errors~~

~~10. Deactivate Account~~

~~Purpose~~~~: Deactivate (soft delete) user account with password verification~~

~~Endpoint~~: ~~DELETE~~ https://apinexgate.glueauth.com/api/v1/profile/deactivate

~~Access Level~~~~: 🔒 Protected (Requires JWT Bearer token) ⚠️~~ ~~Irreversible action~~

~~Authentication~~~~: Bearer Token (JWT access token required)~~

~~Request Headers~~:

~~Header~~ ~~Type~~ ~~Required~~ ~~Description~~
~~Authorization~~ ~~string~~ ~~Yes~~ ~~Bearer {access_token}~~
~~Content-Type~~ ~~string~~ ~~Yes~~ ~~Must be "application/json"~~

~~Request JSON Sample~~:

{ "password": "CurrentPassword123!", "reason": "No longer using the platform" }

~~Request Body Parameters~~:

~~Parameter~~ ~~Type~~ ~~Required~~ ~~Description~~ ~~Validation~~
~~password~~ ~~string~~ ~~Yes~~ ~~User's current password for verification~~ ~~Must match current password~~
~~reason~~ ~~string~~ No ~~Optional reason for deactivation~~ ~~Max 500 characters~~

~~Response JSON Sample~~:

{ "success": true, "httpStatus": "OK", "message": "Account deactivated successfully", "action_time": "2025-09-23T11:15:00", "data": null }

~~Response Fields~~:

~~Field~~ ~~Description~~
~~success~~ ~~Boolean indicating operation success~~
~~httpStatus~~ ~~HTTP status code as string~~
~~message~~ ~~Success message confirming account deactivation~~
~~action_time~~ ~~ISO 8601 timestamp of response generation~~
~~data~~ ~~Always null for deactivation operations~~

~~Error Responses~~:

400 Bad Request~~: Missing password or invalid reason length~~

401 Unauthorized~~: Missing or invalid JWT token or incorrect password~~

422 Unprocessable Entity~~: Invalid password verification~~

500 Internal Server Error~~: Server-side processing errors~~

~~11. Get My Profile Summary (Modified from Get Current User Profile)~~

~~Purpose~~~~: Retrieve the authenticated user's profile summary with stats~~

Endpoint: GET {base_url}/api/v1/profile/me

Access Level: 🔒 Protected (Requires ~~Authentication)~~valid JWT — own profile only)

Authentication: Bearer Token

Request Headers:

Header Type Required Description

Authorization string Yes Bearer token for authentication<jwt_token>

Success Response JSON Sample:

{ "success": true, "httpStatus": "OK", "message": "Profile retrieved successfully", "action_time": "2026-05-19T10:30:45", "data": { "id": "550e8400-e29b-41d4-a716-446655440000", "userName": "john_doe", "firstName": "John", "lastName": "Doe", "middleName": null, "email": "john@example.com", "phoneNumber": "+254712345678", "bio": "Building cool things.", "location": "Nairobi, Kenya", "profilePictureUrls": [ "https://cdn.example.com/profiles/john_main.jpg" ], "isVerified": true, "isEmailVerified": true, "isPhoneVerified": true, "isTwoFactorEnabled": false, "isAccountLocked": false, "followersCount": 1420, "followingCount": 310, "postsCount": 42, "shopsCount": 1, "eventsCount": 3, "createdAt": "2025-12-29T17:01T14:00:00", "editedAt": "2026-05-10T08:22:00", "roles": ["ROLE_USER"], "securityStrength": { "score": 50, "level": "MEDIUM", "description": "Your account security is good but can be improved", "recommendations": ["Enable two-factor authentication"] } } }

Success Response Fields:

Field Description
id Account UUID
userName Public username
firstName First name
lastName Last name
middleName Middle name (may be null)
email Linked email address (private — only visible to owner)
phoneNumber Linked phone number (private — only visible to owner)
bio Profile bio text
location Location string
profilePictureUrls Array of profile picture URLs (first is primary)
isVerified Whether the account has been verified
isEmailVerified Whether the email has been verified
isPhoneVerified Whether the phone has been verified
isTwoFactorEnabled Whether 2FA is active
isAccountLocked Whether the account is deactivated or locked
followersCount Number of accepted followers
followingCount Number of accounts the user is following
postsCount Number of published posts
shopsCount Number of active shops
eventsCount Number of published events
createdAt ISO 8601 account creation timestamp
editedAt ISO 8601 last profile update timestamp
roles Array of assigned role strings
securityStrength.score Security health score 0–100
securityStrength.level VERY_WEAK, WEAK, MEDIUM, or STRONG
securityStrength.recommendations Actionable steps to improve security score

Error Response JSON Sample:

{ "success": false, "httpStatus": "UNAUTHORIZED", "message": "Token has expired", "action_time": "2026-05-19T10:30:45", "data": "Token has expired" }

2. Get Profile by User ID

Purpose: Returns the public profile summary of any user by their UUID. Authenticated callers additionally receive relationship context (isFollowing, isBlocked, etc.).

Endpoint: GET {base_url}/api/v1/profile/id/{userId}

Access Level: 🌐 Public (Relationship info available when authenticated)

Authentication: Bearer Token (optional)

Request Headers:

Header Type Required Description
Authorization string No Bearer <jwt_token> — include to get relationship data

Path Parameters:

Parameter Type Required Description Validation
userId UUID Yes The UUID of the user whose profile to fetch Valid UUID format

Success Response JSON Sample:

{ "success": true, "httpStatus": "OK", "message": "Profile retrieved successfully", "action_time": "2026-05-19T10:30:45", "data": { "userId": "550e8400-e29b-41d4-a716-446655440000", "userName": "john_doe", "firstName": "John", "lastName": "Doe", "profilePictureUrl": "https://storage.cdn.example.com/profiles/john.john_main.jpg", "bio": "TechBuilding enthusiastcool | Entrepreneur | Dar es Salaam"things.", "location": "DarNairobi, es Salaam, Tanzania"Kenya", "isVerified": true, "followersCount": 1250,1420, "followingCount": 340,310, "postsCount": 85, "shopsCount": 2, "eventsCount": 5, "createdAt": "2024-03-15T08:00:00", "isOwnProfile": true, "relationship": null } }

~~Success Response Fields~~:

~~Field~~ ~~Description~~
~~userId~~ ~~Unique identifier of the user~~
~~userName~~ ~~Username handle~~
~~firstName~~ ~~User's first name~~
~~lastName~~ ~~User's last name~~
~~profilePictureUrl~~ ~~URL to profile picture~~
~~bio~~ ~~User's bio/description~~
~~location~~ ~~User's location~~
~~isVerified~~ ~~Whether user is verified~~
~~followersCount~~ ~~Number of followers~~
~~followingCount~~ ~~Number of users following~~
~~postsCount~~ ~~Number of published posts~~
~~shopsCount~~ ~~Number of active shops owned~~
~~eventsCount~~ ~~Number of published events created~~
~~createdAt~~ ~~Account creation date~~
~~isOwnProfile~~ ~~Always~~ true ~~for this endpoint~~
~~relationship~~ ~~Always~~ null ~~for own profile~~

~~Error Response JSON Sample~~:

{ "success": false, "httpStatus": "UNAUTHORIZED", "message": "User not authenticated", "action_time": "2025-12-29T17:00:00", "data": null }

~~Standard Error Types~~:

401 UNAUTHORIZED~~: Missing or invalid authentication token~~

~~12. Get User Profile by ID~~

~~Purpose~~~~: Retrieve a user's profile summary by their unique ID~~

~~Endpoint~~: ~~GET~~ {base_url}/api/v1/profile/id/{userId}

~~Access Level~~~~: 🔒 Protected (Requires Authentication)~~

~~Authentication~~~~: Bearer Token~~

~~Request Headers~~:

~~Header~~ ~~Type~~ ~~Required~~ ~~Description~~
~~Authorization~~ ~~string~~ ~~Yes~~ ~~Bearer token for authentication~~

~~Path Parameters~~:

~~Parameter~~ ~~Type~~ ~~Required~~ ~~Description~~ ~~Validation~~
~~userId~~ ~~UUID~~ ~~Yes~~ ~~Unique identifier of the user~~ ~~Valid UUID format~~

~~Success Response JSON Sample (Viewing Other User)~~:

{ "success": true, "httpStatus": "OK", "message": "Profile retrieved successfully", "action_time": "2025-12-29T17:00:00", "data": { "userId": "660e8400-e29b-41d4-a716-446655440001", "userName": "jane_smith", "firstName": "Jane", "lastName": "Smith", "profilePictureUrl": "https://storage.example.com/profiles/jane.jpg", "bio": "Fashion designer | Shop owner | Arusha", "location": "Arusha, Tanzania", "isVerified": true, "followersCount": 5420, "followingCount": 180, "postsCount": 320,42, "shopsCount": 1, "eventsCount": 12,3, "createdAt": "2023-08-20T10:2025-12-01T14:00:00", "isOwnProfile": false, "relationship": { "isFollowing": true, "isFollowedBy": false, "isBlocked": false, "isBlockedBy": false } } }

Success Response Fields:

Field Description
userId Account UUID
userName Public username
firstName First name
lastName Last name
profilePictureUrl Primary profile picture URL (first in the list, may be null)
bio Profile bio
location Location string
isVerified Whether the account has been platform-verified
followersCount Number of accepted followers
followingCount Number of accounts the user follows
postsCount Number of published posts
shopsCount Number of active shops
eventsCount Number of published events
createdAt ISO 8601 account creation timestamp
isOwnProfile true if the authenticated caller is viewing their own profile
relationship Present only when the caller is authenticated and viewing someone else's profile
relationship.isFollowing true if the caller follows this user
relationship.isFollowedBy true if this user follows the caller
relationship.isBlocked true if the caller has blocked this user
relationship.isBlockedBy true if this user has blocked the caller

Error Response JSON Sample:
~~(Viewing~~
{ Own"success": false, "httpStatus": "NOT_FOUND", "message": "User not found", "action_time": "2026-05-19T10:30:45", "data": "User not found" }

3. Get Profile by ~~ID)~~Username

Purpose: Returns the public profile summary of any user by their username. Authenticated callers additionally receive relationship context. Functionally identical to endpoint 2 but accessed via username instead of UUID.

Endpoint: GET {base_url}/api/v1/profile/u/{username}

Access Level: 🌐 Public (Relationship info available when authenticated)

Authentication: Bearer Token (optional)

Request Headers:

Header Type Required Description
Authorization string No Bearer <jwt_token> — include to get relationship data

Path Parameters:

Parameter Type Required Description Validation
username string Yes The public username to look up Supports @username format

Success Response JSON Sample:

{ "success": true, "httpStatus": "OK", "message": "Profile retrieved successfully", "action_time": "2025-12-29T17:00:00"2026-05-19T10:30:45", "data": { "userId": "550e8400-e29b-41d4-a716-446655440000", "userName": "john_doe", "firstName": "John", "lastName": "Doe", "profilePictureUrl": "https://storage.cdn.example.com/profiles/john.john_main.jpg", "bio": "TechBuilding enthusiastcool | Entrepreneur | Dar es Salaam"things.", "location": "DarNairobi, es Salaam, Tanzania"Kenya", "isVerified": true, "followersCount": 1250,1420, "followingCount": 340,310, "postsCount": 85,42, "shopsCount": 2,1, "eventsCount": 5,3, "createdAt": "2024-03-15T08:2025-12-01T14:00:00", "isOwnProfile": true,false, "relationship": null{ "isFollowing": false, "isFollowedBy": false, "isBlocked": false, "isBlockedBy": false } } }

Success Response Fields: Same as endpoint 2 — see Get Profile by User ID.

~~Field~~ ~~Description~~
~~userId~~ ~~Unique identifier of the user~~
~~userName~~ ~~Username handle~~
~~firstName~~ ~~User's first name~~
~~lastName~~ ~~User's last name~~
~~profilePictureUrl~~ ~~URL to profile picture~~
~~bio~~ ~~User's bio/description~~
~~location~~ ~~User's location~~
~~isVerified~~ ~~Whether user is verified~~
~~followersCount~~ ~~Number of followers~~
~~followingCount~~ ~~Number of users following~~
~~postsCount~~ ~~Number of published posts~~
~~shopsCount~~ ~~Number of active shops owned~~
~~eventsCount~~ ~~Number of published events created~~
~~createdAt~~ ~~Account creation date~~
~~isOwnProfile~~ true ~~if viewing own profile,~~ false ~~otherwise~~
~~relationship~~ ~~Relationship info (null if~~ isOwnProfile ~~is true)~~

~~Relationship Object Fields~~:

~~Field~~ ~~Description~~
~~isFollowing~~ ~~Whether viewer follows this user~~
~~isFollowedBy~~ ~~Whether this user follows viewer~~
~~isBlocked~~ ~~Whether viewer has blocked this user~~
~~isBlockedBy~~ ~~Whether this user has blocked viewer~~

Error Response JSON Sample:

{ "success": false, "httpStatus": "BAD_REQUEST"NOT_FOUND", "message": "User not found", "action_time": "2025-12-29T17:00:00"2026-05-19T10:30:45", "data": null"User not found" }

~~Standard Error Types~~:

400 BAD_REQUEST~~: User not found~~

401 UNAUTHORIZED~~: Missing or invalid authentication token~~

~~13.~~4. ~~Get User~~Update Profile ~~by Username~~

Purpose: ~~Retrieve~~Updates athe authenticated user's ~~profile~~social/display ~~summary~~information. Only accepts social fields — username changes, email changes, and phone changes are handled by ~~their~~the ~~username~~Account API. All fields are optional; only fields provided will be updated.

Endpoint: ~~GET~~PUT {base_url}/api/v1/profile/u/{username}update

Access Level: 🔒 Protected (Requires ~~Authentication)~~valid JWT — own profile only)

Authentication: Bearer Token

Request Headers:
~~forauthentication~~

Header Type Required Description

Authorization string Yes Bearer token<jwt_token>

Content-Type string Yes application/json

~~Path~~Request JSON Sample:

{ "firstName": "John", "lastName": "Doe", "middleName": "K", "bio": "Building cool things one commit at a time.", "location": "Nairobi, Kenya", "profilePictureUrls": [ "https://cdn.example.com/profiles/john_main.jpg", "https://cdn.example.com/profiles/john_alt.jpg" ] }

Request Body Parameters:
~~username~~

Parameter Type Required Description Validation

~~username~~firstName string ~~Yes~~No ~~Username~~First name 1–30 characters
lastName string No Last name 1–30 characters
middleName string No Middle name Max 30 characters
bio string No Short bio shown on profile No length constraint enforced here
location string No Location string shown on profile No length constraint enforced here
profilePictureUrls array of ~~the user~~strings ~~Valid~~No Ordered ~~format~~list of image URLs Max 5 items; each URL must be a valid https:// image URL ending in .jpg, .jpeg, .png, .gif, or .webp; max 500 characters per URL

Note: To change your username, use POST /api/v1/account/username/change. To change your email or phone number, use the Account Linking API (/api/v1/account/link).

Success Response JSON Sample ~~(Viewing Other User)~~:

{ "success": true, "httpStatus": "OK", "message": "Profile retrievedupdated successfully", "action_time": "2025-12-29T17:00:00"2026-05-19T10:30:45", "data": { "userId": "660e8400-e29b-41d4-a716-446655440001", "userName": "jane_smith", "firstName": "Jane", "lastName": "Smith", "profilePictureUrl": "https://storage.example.com/profiles/jane.jpg", "bio": "Fashion designer | Shop owner | Arusha", "location": "Arusha, Tanzania", "isVerified": true, "followersCount": 5420, "followingCount": 180, "postsCount": 320, "shopsCount": 1, "eventsCount": 12, "createdAt": "2023-08-20T10:00:00", "isOwnProfile": false, "relationship": { "isFollowing": true, "isFollowedBy": true, "isBlocked": false, "isBlockedBy": false } } }

~~Success Response JSON Sample (Viewing Own Profile by Username)~~:

{ "success": true, "httpStatus": "OK", "message": "Profile retrieved successfully", "action_time": "2025-12-29T17:00:00", "data": { "userId"id": "550e8400-e29b-41d4-a716-446655440000", "userName": "john_doe", "firstName": "John", "lastName": "Doe", "profilePictureUrl"middleName": "https://storage.example.com/profiles/john.jpg"K", "email": "john@example.com", "phoneNumber": "+254712345678", "bio": "TechBuilding enthusiastcool |things Entrepreneurone |commit Darat esa Salaam"time.", "location": "DarNairobi, esKenya", Salaam,"profilePictureUrls": Tanzania"[ "https://cdn.example.com/profiles/john_main.jpg", "https://cdn.example.com/profiles/john_alt.jpg" ], "isVerified": true, "followersCount"isEmailVerified": 1250,true, "followingCount"isPhoneVerified": 340,true, "postsCount"isTwoFactorEnabled": 85,false, "shopsCount"isAccountLocked": 2, "eventsCount": 5,false, "createdAt": "2024-03-15T08:2025-12-01T14:00:00", "isOwnProfile"editedAt": true,"2026-05-19T10:30:45", "relationship"roles": null["ROLE_USER"], "securityStrength": { "score": 50, "level": "MEDIUM", "description": "Your account security is good but can be improved", "recommendations": ["Enable two-factor authentication"] } } }

Success Response Fields:

Field Description

~~userId~~id ~~Unique~~Account ~~identifier of the user~~UUID

userName ~~Username~~Public ~~handle~~username (unchanged by this endpoint)

firstName ~~User's~~Updated first name

lastName ~~User's~~Updated last name

~~profilePictureUrl~~middleName ~~URL~~Updated tomiddle ~~profile~~name ~~picture~~(may be null)

~~bio~~email ~~User's~~Current ~~bio/description~~email (unchanged by this endpoint)

~~location~~phoneNumber ~~User's~~Current phone number (unchanged by this endpoint)
bio Updated bio
location Updated location

~~isVerified~~profilePictureUrls ~~Whether~~Updated ~~user~~list isof ~~verified~~profile picture URLs

~~followersCount~~isVerified ~~Number~~Account ofverification ~~followers~~status

~~followingCount~~isEmailVerified ~~Number~~Email ofverification ~~users following~~status

~~postsCount~~isPhoneVerified ~~Number~~Phone ofverification ~~published posts~~status

~~shopsCount~~isTwoFactorEnabled ~~Number~~2FA ~~of active shops owned~~status

~~eventsCount~~isAccountLocked ~~Number~~Account oflock ~~published events created~~status

createdAt Account creation ~~date~~timestamp

~~isOwnProfile~~editedAt trueUpdated iftimestamp ~~viewing~~reflecting ~~own~~this ~~profile,~~ false ~~otherwise~~change

~~relationship~~roles ~~Relationship~~Assigned ~~info~~role ~~(null if~~ isOwnProfile ~~is true)~~

~~Relationship Object Fields~~:

~~Field~~ ~~Description~~
~~isFollowing~~ ~~Whether viewer follows this user~~strings

~~isFollowedBy~~securityStrength ~~Whether~~Current ~~this~~security ~~user~~score ~~follows~~and ~~viewer~~
~~isBlocked~~ ~~Whether viewer has blocked this user~~
~~isBlockedBy~~ ~~Whether this user has blocked viewer~~recommendations

Error Response JSON Sample:

{ "success": false, "httpStatus": "BAD_REQUEST"UNPROCESSABLE_ENTITY", "message": "UserValidation not found"failed", "action_time": "2025-12-29T17:00:00"2026-05-19T10:30:45", "data": null{ "firstName": "First name must be between 1 and 30 characters", "profilePictureUrls": "Maximum 5 profile pictures allowed" } }

~~Standard Error Types~~:

400 BAD_REQUEST~~: User not found~~

401 UNAUTHORIZED~~: Missing or invalid authentication token~~

Quick Reference — All Profile Endpoints ~~Summary~~
profile ~~if own username~~if~~profile~~

# Method Endpoint ~~Purpose~~Auth isOwnProfile relationshipDescription

1 GET GET /api/v1/profile/me ~~Get~~🔒 ~~my profile~~Required ~~Always~~Full true ~~Always~~— nullown account only

2 GET GET /api/v1/profile/id/{userId} ~~Get~~🌐 Optional Public profile by ID true ~~if own ID~~ null ~~if own profile~~UUID

3 GET GET /api/v1/profile/u/{username} ~~Get~~🌐 Optional Public profile by username
true4 PUT null/profile/update 🔒 ~~own~~Required Update display info

~~Relationship~~What ~~Field~~Belongs ~~Logic~~in Profile vs Account
GETPUT ~~isFollowedBy,isBlocked,isBlockedBy~~

~~Scenario~~I want to… isOwnProfile relationshipUse

~~Viewing~~View ~~own~~my full profile ~~via~~ /me true null/profile/me

~~Viewing~~View ~~own~~someone else's profile ~~via~~ /id/{myId} trueGET /profile/u/{username} or nullGET /profile/id/{id}

~~Viewing~~Update ~~own~~my ~~profile~~name, ~~via~~bio, /u/{myUsername}location, or picture true null/profile/update

~~Viewing~~Change ~~other~~my ~~user's profile~~username falsePOST /api/v1/account/username/change
Change my email address {POST isFollowing,/api/v1/account/link/email/initiate

Change }my phone number Phone OTP verification flow
Change my password POST /api/v1/account/password/change
Enable or disable 2FA POST /api/v1/account/2fa/enable or /disable
Verify my email POST /api/v1/account/email/request-verification → /email/verify
View my security status GET /api/v1/account/security-info
Deactivate my account DELETE /api/v1/account/deactivate

~~Frontend Usage Example~~

const profile = response.data; if (profile.isOwnProfile) { // Show edit profile button // Hide follow/block buttons showEditProfileButton(); } else { // Show follow button based on relationship if (profile.relationship.isFollowing) { showUnfollowButton(); } else { showFollowButton(); } // Show "Follows you" badge if (profile.relationship.isFollowedBy) { showFollowsYouBadge(); } // Handle blocked state if (profile.relationship.isBlockedBy) { showLimitedProfile(); disableInteractions(); } }

~~Quick Reference Guide~~

~~Security Strength Scoring~~

~~Email Verification~~~~: 25 points~~

~~Phone Verification~~~~: 25 points~~

~~Two-Factor Authentication~~~~: 35 points~~

~~Recent Password Change~~~~: 15 points (within 6 months)~~

~~Security Levels~~

~~STRONG (80-100)~~~~: Excellent security~~

~~MEDIUM (60-79)~~~~: Good security, can be improved~~

~~WEAK (40-59)~~~~: Needs improvement~~

~~VERY_WEAK (0-39)~~~~: Poor security, immediate attention needed~~

~~Profile Picture Requirements~~

~~Format~~~~: HTTPS URLs only~~

~~File Types~~~~: JPG, JPEG, PNG, GIF, WebP~~

~~Limit~~~~: Maximum 5 profile pictures~~

~~Size~~~~: No specific limit (handled by file service)~~

~~Security~~~~: SSRF protection implemented~~

~~Common HTTP Status Codes~~

200 OK~~: Successful GET/PUT request~~

204 No Content~~: Successful DELETE request~~

400 Bad Request~~: Invalid request data~~

401 Unauthorized~~: Authentication required/failed~~

403 Forbidden~~: Insufficient permissions~~

404 Not Found~~: Resource not found~~

409 Conflict~~: Username/email already taken~~

422 Unprocessable Entity~~: Validation errors~~

429 Too Many Requests~~: Rate limit exceeded~~

500 Internal Server Error~~: Server error~~

~~Authentication Types~~

~~Bearer Token~~~~: Include~~ Authorization: Bearer your_access_token ~~in headers~~

~~Password Verification~~~~: Required for sensitive operations (password change, 2FA, deactivation)~~

~~OTP Verification~~~~: Required for email/phone verification~~

~~Re-authentication~~~~: Required after username changes~~

~~Data Format Standards~~

~~Dates~~~~: Use ISO 8601 format (2025-09-23T10:30:00Z)~~

~~Phone Numbers~~~~: E.164 international format (+1234567890)~~

~~UUIDs~~~~: Standard UUID format for all identifiers~~

~~URLs~~~~: Full HTTPS URLs for profile pictures~~

~~Passwords~~~~: Min 8 chars, uppercase, lowercase, digit, special character~~

User Profile Management Service

EndpointsStandard Response Format

1.

Success Get Current User Profile

Error Response Structure

Standard Response Fields:

Standard Error Responses:
Types

2.Endpoints

1. BasicGet My Profile Information

3. Change Password

4. Validate Username Availability

5. Request Email Verification

6. Verify Email

7. Get Security Information

8. Enable Two-Factor Authentication

9. Disable Two-Factor Authentication

10. Deactivate Account

11. Get My Profile Summary (Modified from Get Current User Profile)

2. Get Profile by User ID

12. Get User Profile by ID

3. Get Profile by ID)Username

13.4. Get UserUpdate Profile by Username

Quick Reference — All Profile Endpoints Summary

RelationshipWhat FieldBelongs Logicin Profile vs Account

Frontend Usage Example

Quick Reference Guide

Security Strength Scoring

Security Levels

Profile Picture Requirements

Common HTTP Status Codes

Authentication Types

Data Format Standards

Field	Type	Description
`success`	~~Boolean~~boolean	`true` ~~operation~~for ~~success~~successful operations, `false` for errors
`httpStatus`	string	HTTP status ~~code~~name as(OK, ~~string~~BAD_REQUEST, NOT_FOUND, etc.)
`message`	~~Success~~string	Human-readable message describing the result
`action_time`	string	ISO 8601 timestamp of when the response ~~generation~~was generated
~~data.id~~`data`	~~Unique user identifier (UUID)~~
~~data.userName~~object/string	~~User's~~Response ~~unique~~payload ~~username~~
~~data.firstName~~	~~User's~~on ~~first name~~
~~data.lastName~~	~~User's last name~~
~~data.middleName~~	~~User's middle name~~
~~data.email~~	~~User's email address~~
~~data.phoneNumber~~	~~User's phone number in international format~~
~~data.isVerified~~	~~Overall account verification status~~
~~data.isEmailVerified~~	~~Email verification status~~
~~data.isPhoneVerified~~	~~Phone number verification status~~
~~data.isTwoFactorEnabled~~	~~Two-factor authentication status~~
~~data.isAccountLocked~~	~~Account lock status~~
~~data.createdAt~~	~~Account creation timestamp~~
~~data.editedAt~~	~~Last profile modification timestamp~~
~~data.roles~~	~~Array of user roles/permissions~~
~~data.profilePictureUrls~~	~~Array of profile picture URLs (max 5)~~
~~data.securityStrength.score~~	~~Security score from 0-100~~
~~data.securityStrength.level~~	~~Security level (WEAK, MEDIUM, STRONG, VERY_WEAK)~~
~~data.securityStrength.description~~	~~Human-readable security assessment~~
~~data.securityStrength.recommendations~~	~~Array of security improvement suggestions~~failure

~~Parameter~~	~~Type~~	~~Required~~	~~Description~~	~~Validation~~
~~userName~~	~~string~~	No	~~New username (triggers re-authentication if changed)~~	~~3-30 chars, start with letter, alphanumeric + underscore/hyphen only~~
~~firstName~~	~~string~~	No	~~User's first name~~	~~1-30 characters~~
~~lastName~~	~~string~~	No	~~User's last name~~	~~1-30 characters~~
~~middleName~~	~~string~~	No	~~User's middle name~~	~~Max 30 characters~~
~~email~~	~~string~~	No	~~User's email address (requires re-~~verification ~~if changed)~~	~~Valid email format~~
~~phoneNumber~~	~~string~~	No	~~Phone number (requires re-verification if changed)~~	~~E.164 international format (+1234567890)~~
~~profilePictureUrls~~	~~array~~	No	~~Array of profile picture URLs~~	~~Max 5 URLs, valid HTTPS image URLs only~~

~~Field~~	~~Description~~
~~success~~	~~Boolean indicating operation success~~
~~httpStatus~~	~~HTTP status code as string~~
~~message~~	~~Success message (special message if username changed)~~
~~action_time~~	~~ISO 8601 timestamp of response generation~~
~~data~~	~~Updated UserProfileResponse object with complete profile data~~

~~Parameter~~	~~Type~~	~~Required~~	~~Description~~	~~Validation~~
~~currentPassword~~	~~string~~	~~Yes~~	~~User's current password~~	~~Must match current password~~
~~newPassword~~	~~string~~	~~Yes~~	~~New password~~	~~Min 8 chars, uppercase, lowercase, digit, special character~~
~~confirmPassword~~	~~string~~	~~Yes~~	~~Confirmation of new password~~	~~Must match newPassword exactly~~

~~Parameter~~	~~Type~~	~~Required~~	~~Description~~	~~Validation~~
~~tempToken~~	~~string~~	~~Yes~~	~~Temporary token from email verification request~~	~~Must be valid non-expired temp token~~
~~otpCode~~	~~string~~	~~Yes~~	~~6-digit OTP code from email~~	~~Must be exactly 6 digits (\d{6})~~

~~Parameter~~	~~Type~~	~~Required~~	~~Description~~	~~Validation~~
~~password~~	~~string~~	~~Yes~~	~~User's current password for verification~~	~~Must match current password~~
~~reason~~	~~string~~	No	~~Optional reason for deactivation~~	~~Max 500 characters~~

Field	Description
`id`	Account UUID
`userName`	Public username
`firstName`	First name
`lastName`	Last name
`middleName`	Middle name (may be null)
`email`	Linked email address (private — only visible to owner)
`phoneNumber`	Linked phone number (private — only visible to owner)
`bio`	Profile bio text
`location`	Location string
`profilePictureUrls`	Array of profile picture URLs (first is primary)
`isVerified`	Whether the account has been verified
`isEmailVerified`	Whether the email has been verified
`isPhoneVerified`	Whether the phone has been verified
`isTwoFactorEnabled`	Whether 2FA is active
`isAccountLocked`	Whether the account is deactivated or locked
`followersCount`	Number of accepted followers
`followingCount`	Number of accounts the user is following
`postsCount`	Number of published posts
`shopsCount`	Number of active shops
`eventsCount`	Number of published events
`createdAt`	ISO 8601 account creation timestamp
`editedAt`	ISO 8601 last profile update timestamp
`roles`	Array of assigned role strings
`securityStrength.score`	Security health score 0–100
`securityStrength.level`	`VERY_WEAK`, `WEAK`, `MEDIUM`, or `STRONG`
`securityStrength.recommendations`	Actionable steps to improve security score

~~Field~~	~~Description~~
~~userId~~	~~Unique identifier of the user~~
~~userName~~	~~Username handle~~
~~firstName~~	~~User's first name~~
~~lastName~~	~~User's last name~~
~~profilePictureUrl~~	~~URL to profile picture~~
~~bio~~	~~User's bio/description~~
~~location~~	~~User's location~~
~~isVerified~~	~~Whether user is verified~~
~~followersCount~~	~~Number of followers~~
~~followingCount~~	~~Number of users following~~
~~postsCount~~	~~Number of published posts~~
~~shopsCount~~	~~Number of active shops owned~~
~~eventsCount~~	~~Number of published events created~~
~~createdAt~~	~~Account creation date~~
~~isOwnProfile~~	~~Always~~ `true` ~~for this endpoint~~
~~relationship~~	~~Always~~ `null` ~~for own profile~~

Field	Description
`userId`	Account UUID
`userName`	Public username
`firstName`	First name
`lastName`	Last name
`profilePictureUrl`	Primary profile picture URL (first in the list, may be null)
`bio`	Profile bio
`location`	Location string
`isVerified`	Whether the account has been platform-verified
`followersCount`	Number of accepted followers
`followingCount`	Number of accounts the user follows
`postsCount`	Number of published posts
`shopsCount`	Number of active shops
`eventsCount`	Number of published events
`createdAt`	ISO 8601 account creation timestamp
`isOwnProfile`	`true` if the authenticated caller is viewing their own profile
`relationship`	Present only when the caller is authenticated and viewing someone else's profile
`relationship.isFollowing`	`true` if the caller follows this user
`relationship.isFollowedBy`	`true` if this user follows the caller
`relationship.isBlocked`	`true` if the caller has blocked this user
`relationship.isBlockedBy`	`true` if this user has blocked the caller

~~Field~~	~~Description~~
~~isFollowing~~	~~Whether viewer follows this user~~
~~isFollowedBy~~	~~Whether this user follows viewer~~
~~isBlocked~~	~~Whether viewer has blocked this user~~
~~isBlockedBy~~	~~Whether this user has blocked viewer~~

Header	Type	Required	Description
`Authorization`	string	Yes	`Bearer token<jwt_token>`
`Content-Type`	string	Yes	`application/json`

Parameter	Type	Required	Description	Validation
~~username~~`firstName`	string	~~Yes~~No	~~Username~~First name	1–30 characters
`lastName`	string	No	Last name	1–30 characters
`middleName`	string	No	Middle name	Max 30 characters
`bio`	string	No	Short bio shown on profile	No length constraint enforced here
`location`	string	No	Location string shown on profile	No length constraint enforced here
`profilePictureUrls`	array of ~~the user~~strings	~~Valid~~No	Ordered ~~format~~list of image URLs	Max 5 items; each URL must be a valid `https://` image URL ending in `.jpg`, `.jpeg`, `.png`, `.gif`, or `.webp`; max 500 characters per URL

Field	Description
~~userId~~`id`	~~Unique~~Account ~~identifier of the user~~UUID
`userName`	~~Username~~Public ~~handle~~username (unchanged by this endpoint)
`firstName`	~~User's~~Updated first name
`lastName`	~~User's~~Updated last name
~~profilePictureUrl~~`middleName`	~~URL~~Updated tomiddle ~~profile~~name ~~picture~~(may be null)
~~bio~~`email`	~~User's~~Current ~~bio/description~~email (unchanged by this endpoint)
~~location~~`phoneNumber`	~~User's~~Current phone number (unchanged by this endpoint)
`bio`	Updated bio
`location`	Updated location
~~isVerified~~`profilePictureUrls`	~~Whether~~Updated ~~user~~list isof ~~verified~~profile picture URLs
~~followersCount~~`isVerified`	~~Number~~Account ofverification ~~followers~~status
~~followingCount~~`isEmailVerified`	~~Number~~Email ofverification ~~users following~~status
~~postsCount~~`isPhoneVerified`	~~Number~~Phone ofverification ~~published posts~~status
~~shopsCount~~`isTwoFactorEnabled`	~~Number~~2FA ~~of active shops owned~~status
~~eventsCount~~`isAccountLocked`	~~Number~~Account oflock ~~published events created~~status
`createdAt`	Account creation ~~date~~timestamp
~~isOwnProfile~~`editedAt`	`true`Updated iftimestamp ~~viewing~~reflecting ~~own~~this ~~profile,~~ `false` ~~otherwise~~change
~~relationship~~`roles`	~~Relationship~~Assigned ~~info~~role ~~(null if~~ `isOwnProfile` ~~is true)~~

~~Field~~	~~Description~~
~~isFollowing~~	~~Whether viewer follows this user~~strings
~~isFollowedBy~~`securityStrength`	~~Whether~~Current ~~this~~security ~~user~~score ~~follows~~and ~~viewer~~
~~isBlocked~~	~~Whether viewer has blocked this user~~
~~isBlockedBy~~	~~Whether this user has blocked viewer~~recommendations

#	Method	Endpoint	~~Purpose~~Auth	`isOwnProfile`	`relationship`Description
1	GET	`GET /api/v1/profile/me`	~~Get~~🔒 ~~my profile~~Required	~~Always~~Full `true`	~~Always~~— `null`own account only
2	GET	`GET /api/v1/profile/id/{userId}`	~~Get~~🌐 Optional	Public profile by ID	`true` ~~if own ID~~	`null` ~~if own profile~~UUID
3	GET	`GET /api/v1/profile/u/{username}`	~~Get~~🌐 Optional	Public profile by username
`true`4	PUT	`null/profile/update`	🔒 ~~own~~Required	Update display info

~~Scenario~~I want to…	`isOwnProfile`	`relationship`Use
~~Viewing~~View ~~own~~my full profile ~~via~~ `/me`	`true`	`null/profile/me`
~~Viewing~~View ~~own~~someone else's profile ~~via~~ `/id/{myId}`	`trueGET /profile/u/{username}`	or `nullGET /profile/id/{id}`
~~Viewing~~Update ~~own~~my ~~profile~~name, ~~via~~bio, `/u/{myUsername}`location, or picture	`true`	`null/profile/update`
~~Viewing~~Change ~~other~~my ~~user's profile~~username	`falsePOST /api/v1/account/username/change`
Change my email address	`{POST isFollowing,/api/v1/account/link/email/initiate`
Change }my phone number	Phone OTP verification flow
Change my password	`POST /api/v1/account/password/change`
Enable or disable 2FA	`POST /api/v1/account/2fa/enable` or `/disable`
Verify my email	`POST /api/v1/account/email/request-verification` → `/email/verify`
View my security status	`GET /api/v1/account/security-info`
Deactivate my account	`DELETE /api/v1/account/deactivate`

User Profile Management Service

EndpointsStandard Response Format

1.

Success Get Current User Profile

Error Response Structure

Standard Response Fields:

Standard Error Responses:Types

2.Endpoints

1. BasicGet My Profile Information

3. Change Password

4. Validate Username Availability

5. Request Email Verification

6. Verify Email

7. Get Security Information

8. Enable Two-Factor Authentication

9. Disable Two-Factor Authentication

10. Deactivate Account

11. Get My Profile Summary (Modified from Get Current User Profile)

2. Get Profile by User ID

12. Get User Profile by ID

3. Get Profile by ID)Username

13.4. Get UserUpdate Profile by Username

Quick Reference — All Profile Endpoints Summary

RelationshipWhat FieldBelongs Logicin Profile vs Account

Frontend Usage Example

Quick Reference Guide

Security Strength Scoring

Security Levels

Profile Picture Requirements

Common HTTP Status Codes

Authentication Types

Data Format Standards

Standard Error Responses:
Types