Skip to content
Hantera OMS Developer Portal Developer Portal

Me

The Me API provides endpoints for authenticated users to manage their own profile, authentication, and settings.

Overview

The Me API enables self-service user management with the following capabilities:

Profile Management

  • Read and update profile information (name, email, phone, picture)
  • Change email address with verification workflow
  • Manage user preferences and settings

Authentication

  • Change password with current password verification
  • Password complexity enforcement (8+ characters, uppercase, lowercase, digit)

Personal Access Tokens (PATs)

  • Create long-lived API tokens for programmatic access
  • List active PATs
  • Revoke PATs

Resource Structure

All Me API endpoints are under /resources/me/:

/resources/me/
├── profile          # Profile data
├── password         # Password management
├── email/
│   ├── change      # Request email change
│   └── validate    # Verify email change
├── settings        # User preferences
└── pat             # Personal Access Tokens
    └── {id}        # Specific PAT

Key Features

Email Verification

Email changes require verification to prevent unauthorized account takeover:

  1. User requests email change → Me API generates verification secret and stores in pendingEmail
  2. Client (e.g., Portal) sends verification email via Sendings API
  3. User clicks link with secret → Client calls validation endpoint
  4. Me API validates secret → Email updated if valid
  5. Secret expires after 24 hours

Important: The Me API does not send emails automatically. Clients are responsible for:

  • Calling the Sendings API to deliver verification emails
  • Providing the verification link endpoint
  • Handling the validation callback

This separation allows clients to customize email templates and delivery logic.

Password Security

Password changes require:

  • Current password verification
  • Complexity requirements (enforced by BCrypt):
    • Minimum 8 characters
    • At least one uppercase letter
    • At least one lowercase letter
    • At least one digit

Personal Access Tokens

PATs enable programmatic API access:

  • Long-lived tokens (up to 1 year)
  • Scope-limited (inherit user’s permissions)
  • Individually revocable
  • Require client secret for creation

Access Control

The available access control entries for the Me resources are:

me/profile:read      # Read own profile
me/profile:write     # Update profile and email
me/auth:write        # Change password
me/settings:read     # Read settings
me/settings:write    # Update settings
me/pat:read          # List PATs
me/pat:write         # Create/revoke PATs

Common Use Cases

Self-Service Profile Updates

Users can update their own information without administrator involvement:

  • Change display name
  • Update phone number
  • Upload profile picture
  • Change email (with verification)
  • Update password

API Integration

Developers can create PATs for:

  • CI/CD pipelines
  • Custom integrations
  • Automation scripts
  • External applications

Personalization

Users can customize their experience via settings:

  • Interface language
  • Date/time formatting
  • Other application preferences
  • IAM - User and role management (admin)