e-bon
e-bon.ro
API reference

Users

REST endpoints for the authenticated user's own profile — fetch, edit display name and phone number, change password.

Users

The Users API exposes three endpoints under /api/v1/users that operate on the authenticated user's own profile. There are no admin endpoints in this group — every route resolves the target user from the session token, so a caller can only ever read or modify their own record. To manage other users in the organization (invite, remove, change roles), use the Portal UI.

Like Organizations and Webhooks, the Users API does not accept API keys. The whole /api/v1/users surface requires a Portal session token. Generate one with POST /api/v1/auth/login and pass it as Authorization: Bearer <jwt>. There is no API-key scope that grants access to the profile endpoints. See Authentication › JWT authentication.

The error envelope, rate limits and pagination conventions are documented once on API overview; only the per-endpoint error codes are listed below. Any signed-in user can call these endpoints on their own profile.

GET /api/v1/users/me

Returns the profile of the currently signed-in user, including uid, email, displayName, phoneNumber, role and createdAt.

Auth: Portal session token (any org member)

Response 200

{
  "uid": "user_xyz",
  "email": "owner@acme.example",
  "displayName": "Ana Popescu",
  "phoneNumber": "+40712345678",
  "createdAt": "2025-09-01T08:00:00.000Z",
  "role": "owner"
}

phoneNumber is null when the user has never set one. role is one of owner, admin, operator.

Errors

  • UNAUTHORIZED (401) — missing or invalid session token.

The full HTTP catalogue is on API overview › HTTP error code catalogue.

Example

curl https://api.e-bon.ro/api/v1/users/me \
  -H "Authorization: Bearer <portal-jwt>"

PATCH /api/v1/users/me

Updates the authenticated user's display name and/or phone number. Both fields are optional, but at least one must be provided. The Portal sidebar stays in sync automatically.

Auth: Portal session token (any org member)

Request body

FieldTypeRequiredNotes
displayNamestringno1–255 chars. Empty string is rejected.
phoneNumberstringno1–30 chars. Must be in E.164 format (e.g. +40712345678) — regex ^\+[1-9]\d{1,14}$.

The body must not be empty — at least one of displayName or phoneNumber must be present.

Response 200

The updated profile, in the same shape as GET /api/v1/users/me.

Errors

  • VALIDATION_ERROR (400) — request body failed validation (empty body, bad phone format, length out of range).
  • UNAUTHORIZED (401) — missing or invalid session token.

Example

curl -X PATCH https://api.e-bon.ro/api/v1/users/me \
  -H "Authorization: Bearer <portal-jwt>" \
  -H "Content-Type: application/json" \
  -d '{
    "displayName": "Ana Popescu",
    "phoneNumber": "+40712345678"
  }'

POST /api/v1/users/me/change-password

Changes the authenticated user's password after verifying that the current password is still valid. The current password must be supplied in the request and is checked before the new one is accepted.

Auth: Portal session token (any org member)

If the API server is not configured for password verification, the request fails with INTERNAL_ERROR (500) and the message Password verification is not configured. Contact your administrator if you see this.

Request body

FieldTypeRequiredNotes
currentPasswordstringyesThe user's current password.
newPasswordstringyesAt least 8 characters.

Response 200

{ "message": "Password changed successfully" }

Errors

  • VALIDATION_ERROR (400) — request body failed validation (missing field, newPassword shorter than 8 chars).
  • UNAUTHORIZED (401) — missing or invalid session token, or currentPassword did not verify. The error message is Current password is incorrect in the latter case.
  • INTERNAL_ERROR (500) — the server is not configured for password verification, or the user account has no email address on file.

Example

curl -X POST https://api.e-bon.ro/api/v1/users/me/change-password \
  -H "Authorization: Bearer <portal-jwt>" \
  -H "Content-Type: application/json" \
  -d '{
    "currentPassword": "old-secret",
    "newPassword": "a-much-longer-new-secret"
  }'

See also

  • Organizations & Locations API — JWT-only routes for the org profile, billing address, locations and notification subscribers.
  • Authentication — Portal JWT login flow and the API-key scope catalogue.
  • API overview — base URL, error envelope, rate limits, pagination, full HTTP error code catalogue.

Organizations & Locations

REST endpoints for managing your organization's profile (name, billing address), its locations, and its notification subscriber list.

Authentication endpoints

REST endpoints under /api/v1/auth — register, login, forgot password, refresh and logout — that issue and revoke the JWT access + refresh token pair used by the e-bon Portal and the E-BON mobile app.