shared-users

Get User Profile By Id

Profile of another user, scoped to the caller’s org.

Access rules — enforced by load_user_for_crew_edit:

The caller may always view their own profile (404 indistinguishable from “not in your org” otherwise).
admin / office-admin may view any user in their org.
Everyone else gets 404.

Role surfaced in the response comes from the DB display cache (kept fresh by membership webhooks + the hourly reconciliation worker). The JWT-authoritative role only applies to the caller — not the target — which is exactly the documented use of users.role.

Profile picture is resolved the same way as /me: custom upload’s thumb derivative if present + ready, else the WorkOS-provided URL.

GET

api

shared

users

{user_id}

profile

Get User Profile By Id

curl --request GET \
  --url https://api.example.com/api/v1/shared/users/{user_id}/profile \
  --header 'Authorization: Bearer <token>'

{
  "user": {
    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "email": "<string>",
    "emailVerified": true,
    "firstName": "<string>",
    "lastName": "<string>",
    "profilePictureUrl": "<string>",
    "role": "<string>",
    "state": "<string>",
    "lastLogin": "2023-11-07T05:31:56Z",
    "createdAt": "2023-11-07T05:31:56Z",
    "hasCustomProfilePicture": false
  },
  "organization": {
    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "name": "<string>"
  },
  "assignments": [
    {
      "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
      "shipName": "<string>",
      "role": "<string>",
      "startDate": "2023-12-25",
      "endDate": "2023-12-25",
      "isActive": true,
      "shipImoNumber": "<string>"
    }
  ]
}

Authorizations

Authorization

string

header

required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Path Parameters

user_id

string<uuid>

required

Response

Successful Response

Complete profile response.

user

UserProfileDTO · object

required

User profile for /users/me endpoint.

profile_picture_url: server-resolved. If the user has uploaded a custom photo this is a presigned URL for that upload's thumb derivative (256 px); otherwise it's the WorkOS-provided URL.

has_custom_profile_picture: lets the FE show a "Remove photo" affordance only when there's a custom photo to remove.

Show child attributes

organization

OrganizationInfoDTO · object

required

Organization info for profile.

Show child attributes

assignments

AssignmentWithShipDTO · object[]

required

Show child attributes

Update User Profile PictureSet or clear a user's custom profile photo. Path param `user_id` selects whose photo is being changed; the `load_user_for_crew_edit` dep enforces self-or-admin/office-admin scoping (404s on cross-org or unauthorized access). Body: `{"uploadId": "<uuid>" | null}`. A UUID sets/replaces the photo; `null` clears it (avatar reverts to the WorkOS-provided URL). Validations when `uploadId` is non-null: - Upload exists in the caller's org (IDOR-safe via get_by_id_and_org). - Upload was uploaded by the **caller** (`actor`), not the target. An admin uploading a photo for a crew member is the expected flow — the upload row's `uploaded_by_user_id` belongs to the admin, while the photo is applied to the target user. - Upload kind is `image` (rejects PDFs etc.). - Upload status is `ready` (rejects pending/scanning/infected/failed). Returns the target's freshly-resolved profile DTO, identical shape to the `/me` user payload so the frontend can update either cache (the /me cache or the /users/{id}/profile cache) from this response.

Get User Profile By Id

curl --request GET \
  --url https://api.example.com/api/v1/shared/users/{user_id}/profile \
  --header 'Authorization: Bearer <token>'

{
  "user": {
    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "email": "<string>",
    "emailVerified": true,
    "firstName": "<string>",
    "lastName": "<string>",
    "profilePictureUrl": "<string>",
    "role": "<string>",
    "state": "<string>",
    "lastLogin": "2023-11-07T05:31:56Z",
    "createdAt": "2023-11-07T05:31:56Z",
    "hasCustomProfilePicture": false
  },
  "organization": {
    "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "name": "<string>"
  },
  "assignments": [
    {
      "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
      "shipName": "<string>",
      "role": "<string>",
      "startDate": "2023-12-25",
      "endDate": "2023-12-25",
      "isActive": true,
      "shipImoNumber": "<string>"
    }
  ]
}