๐ฅ Staff API โ
๐ List Staff โ
GET /api/staff?page=1&limit=20&role=MANAGER&search=john&isActive=true
Authorization: Bearer <manager-or-admin-token>Requires MANAGER or SUPER_ADMIN role.
Query Parameters:
| Param | Type | Description |
|---|---|---|
page | number | ๐ Page number (default: 1) |
limit | number | ๐ Items per page (default: 20, max: 50) |
role | string | ๐ท๏ธ Filter by role: SUPER_ADMIN, MANAGER, STAFF |
search | string | ๐ Search by name or email (case-insensitive) |
isActive | string | โ
Filter by active status: true or false |
Response: 200 OK
json
{
"success": true,
"data": [
{
"id": "cuid",
"email": "staff@example.com",
"name": "Jane Doe",
"role": "STAFF",
"phone": null,
"isActive": true,
"locationId": "cuid",
"location": { "id": "cuid", "name": "Downtown" },
"createdAt": "2025-01-01T00:00:00.000Z"
}
],
"pagination": {
"page": 1,
"limit": 20,
"total": 5,
"totalPages": 1
}
}๐ Get Staff Member โ
GET /api/staff/:id
Authorization: Bearer <manager-or-admin-token>Requires MANAGER or SUPER_ADMIN role.
Response: 200 OK
json
{
"success": true,
"data": {
"id": "cuid",
"email": "staff@example.com",
"name": "Jane Doe",
"role": "STAFF",
"phone": null,
"isActive": true,
"locationId": "cuid",
"location": { "id": "cuid", "name": "Downtown" },
"createdAt": "2025-01-01T00:00:00.000Z",
"updatedAt": "2025-01-01T00:00:00.000Z"
}
}โ๏ธ Update Staff Member โ
PATCH /api/staff/:id
Authorization: Bearer <super-admin-token>Requires SUPER_ADMIN role. Cannot change your own role.
Request:
json
{
"name": "Jane Smith",
"role": "MANAGER",
"phone": "+1234567890",
"locationId": "cuid",
"isActive": true
}All fields are optional.
Response: 200 OK
json
{
"success": true,
"data": {
"id": "cuid",
"email": "staff@example.com",
"name": "Jane Smith",
"role": "MANAGER",
"phone": "+1234567890",
"isActive": true,
"locationId": "cuid",
"location": { "id": "cuid", "name": "Downtown" }
}
}๐ซ Deactivate Staff Member โ
DELETE /api/staff/:id
Authorization: Bearer <super-admin-token>Requires SUPER_ADMIN role. Sets isActive to false. Cannot deactivate yourself.
Response: 200 OK
json
{
"success": true,
"data": { "message": "Staff member deactivated" }
}๐จ Invite Staff โ
POST /api/staff/invite
Authorization: Bearer <super-admin-token>Requires SUPER_ADMIN role. Creates a single-use invite token and sends an email.
Request:
json
{
"email": "newstaff@example.com",
"name": "Optional Name",
"role": "STAFF"
}| Field | Required | Description |
|---|---|---|
email | โ Yes | Email address for the invitation |
name | โ No | Pre-filled name suggestion |
role | โ No | Role to assign (default: STAFF) |
Response: 201 Created
json
{
"success": true,
"data": {
"id": "cuid",
"email": "newstaff@example.com",
"role": "STAFF",
"expiresAt": "2025-01-08T00:00:00.000Z"
}
}๐ Validate Invite Token โ
GET /api/staff/invite/:tokenPublic endpoint โ no authentication required.
Returns the invite details if the token is valid, unused, and not expired.
Response: 200 OK
json
{
"success": true,
"data": {
"email": "newstaff@example.com",
"role": "STAFF"
}
}โ Accept Invite โ
POST /api/staff/accept-invitePublic endpoint โ no authentication required.
Creates a new user account and returns a JWT.
Request:
json
{
"token": "hex-invite-token",
"name": "Jane Doe",
"password": "securepassword"
}Response: 201 Created
json
{
"success": true,
"data": {
"token": "eyJhbG...",
"user": {
"id": "cuid",
"email": "newstaff@example.com",
"name": "Jane Doe",
"role": "STAFF"
}
}
}โ ๏ธ Error Cases โ
| Scenario | Status | Error |
|---|---|---|
| ๐ Not authenticated | 401 | Authentication required |
| ๐ซ Insufficient role | 403 | Insufficient permissions |
| ๐ Staff not found | 404 | Staff member not found |
| ๐ง Email already exists (invite) | 409 | A user with this email already exists |
| ๐ Token already used | 400 | This invite has already been used |
| โฐ Token expired | 400 | This invite has expired |
| ๐ซ Self-demotion | 400 | Cannot change your own role |
| ๐ซ Self-deactivation | 400 | Cannot deactivate your own account |