Identity & access API
Base path: /api/iam
These endpoints manage branding resources — themes, avatar, and cover image — for the current user and for the organizations they belong to. Access control and persistence are delegated to the IAM repository; blob storage is injected, so the route only owns HTTP handling and image processing.
Uploaded images are processed to WebP before being stored.
All endpoints require an authenticated session.
Current user
GET /api/iam/themes— the current user’s themes.POST /api/iam/avatar— upload the user’s avatar (multipart file). Processed to WebP and stored; returns the public URL.DELETE /api/iam/avatar— remove the user’s avatar.POST /api/iam/cover— upload the user’s cover image.DELETE /api/iam/cover— remove the user’s cover image.
Organization
The same resources, scoped to an organization the user can administer:
GET /api/iam/org/:org_id/themes— the organization’s themes.POST /api/iam/org/:org_id/avatar— upload the organization’s avatar.DELETE /api/iam/org/:org_id/avatar— remove the organization’s avatar.POST /api/iam/org/:org_id/cover— upload the organization’s cover image.DELETE /api/iam/org/:org_id/cover— remove the organization’s cover image.