Identity & access API

Base path: /api/iam

These endpoints manage branding resources — themes, avatar, and cover image — for the current user and for the organizations they belong to. Access control and persistence are delegated to the IAM repository; blob storage is injected, so the route only owns HTTP handling and image processing.

Uploaded images are processed to WebP before being stored.

All endpoints require an authenticated session.

Current user

  • GET /api/iam/themes — the current user’s themes.
  • POST /api/iam/avatar — upload the user’s avatar (multipart file). Processed to WebP and stored; returns the public URL.
  • DELETE /api/iam/avatar — remove the user’s avatar.
  • POST /api/iam/cover — upload the user’s cover image.
  • DELETE /api/iam/cover — remove the user’s cover image.

Organization

The same resources, scoped to an organization the user can administer:

  • GET /api/iam/org/:org_id/themes — the organization’s themes.
  • POST /api/iam/org/:org_id/avatar — upload the organization’s avatar.
  • DELETE /api/iam/org/:org_id/avatar — remove the organization’s avatar.
  • POST /api/iam/org/:org_id/cover — upload the organization’s cover image.
  • DELETE /api/iam/org/:org_id/cover — remove the organization’s cover image.