The Users domain manages identity, profiles, and authorization. It provides the public profile system and rank-based access control.
Registration
User accounts are created automatically when a user signs up through the authentication provider. There is no manual registration endpoint -- account creation is handled entirely by the auth flow.
New accounts are initialized with:
- A default avatar path
BEGINNERrank- No bio
- Active status
User Profile
| Field | Type | Public | Description |
|---|---|---|---|
userId | UUID | Yes | Unique identifier |
username | string | Yes | Display name |
photoUrl | string or null | Yes | Avatar URL |
rank | UserRank | Yes | See rank system below |
bio | string or null | Yes | User biography |
isActive | boolean | Yes | Account status |
createdAt / updatedAt | ISO date | Yes | Timestamps |
email | string | No | Never exposed in API responses |
Privacy
Email addresses are never included in API responses. Public endpoints return a UserProfile (email stripped). Cross-domain references use a minimal UserSummary containing only userId, username, and photoUrl.
Rank System
| Rank | Level |
|---|---|
BEGINNER | Default for new users |
NOVICE | -- |
ADEPT | -- |
EXPERT | -- |
MASTER | -- |
GAME_MASTER | Admin access |
Rank rules:
- Only a
GAME_MASTERcan update any user's rank. - A
GAME_MASTERcannot remove their ownGAME_MASTERrank (prevents admin lockout).
API Endpoints
| Method | Endpoint | Purpose | Auth |
|---|---|---|---|
GET | /users | List users (paginated) | Required |
GET | /users/{userId} | Get profile by UUID | Required |
GET | /users/username/{username} | Get profile by handle | Required |
PATCH | /users/{userId}/rank | Update a user's rank | Required (GAME_MASTER only) |
All endpoints require authentication. GET endpoints return UserProfile (email stripped).
Last modified on