Admin Panel API

The Admin Panel API provides platform-level management capabilities — organization oversight, user administration, support tickets, activity logs, and audit trails. All protected endpoints require a valid platform admin PASETO token via the Authorization: Bearer <token> header.

Authentication

POST /api/admin/auth/login

Authenticate a platform admin.

Request Body

Field	Type	Required	Description
email	string	Yes	Admin email address
password	string	Yes	Admin account password

{
  "email": "admin@example.com",
  "password": "securePassword123"
}

Response 200 OK

{
  "success": true,
  "token": "v4.public.eyJ...",
  "admin": {
    "id": "64f1a2b3c4d5e6f7a8b9c0d1",
    "email": "admin@example.com",
    "name": "Platform Admin"
  }
}

---

POST /api/admin/auth/forgot-password

Send a password-reset email to the admin.

Field	Type	Required	Description
email	string	Yes	Admin email address

{ "email": "admin@example.com" }

Response 200 OK

{ "success": true, "message": "Password reset email sent" }

---

POST /api/admin/auth/reset-password

Reset the admin password using a token received via email.

Field	Type	Required	Description
token	string	Yes	Reset token from the email link
newPassword	string	Yes	New password (min 8 characters)

{
  "token": "abc123resettoken",
  "newPassword": "newSecurePassword456"
}

Response 200 OK

{ "success": true, "message": "Password reset successful" }

---

GET /api/admin/auth/verify-token

Verify whether a password-reset token is still valid.

Query Parameters

Param	Type	Required	Description
token	string	Yes	Reset token to check

Response 200 OK

{ "valid": true }

---

Protected Endpoints

Authorization Required

All endpoints below require the Authorization: Bearer <token> header with a valid platform admin token.

GET /api/admin/auth/me

Return the currently authenticated admin's profile.

Response 200 OK

{
  "success": true,
  "admin": {
    "id": "64f1a2b3c4d5e6f7a8b9c0d1",
    "email": "admin@example.com",
    "name": "Platform Admin",
    "role": "superadmin",
    "createdAt": "2025-01-15T10:30:00.000Z"
  }
}

---

POST /api/admin/auth/invite

Invite a new platform admin by email.

Field	Type	Required	Description
email	string	Yes	Invitee email address
name	string	Yes	Invitee display name

{
  "email": "newadmin@example.com",
  "name": "New Admin"
}

Response 201 Created

{ "success": true, "message": "Invite sent successfully" }

---

Organization Management

GET /api/admin/orgs/stats/overview

Aggregated statistics across all organizations.

Response 200 OK

{
  "totalOrgs": 42,
  "activeOrgs": 38,
  "disabledOrgs": 4,
  "totalUsers": 256,
  "totalBookings": 12840
}

---

GET /api/admin/orgs

List all organizations with pagination.

Query Parameters

Param	Type	Default	Description
page	number	1	Page number
limit	number	20	Items per page
search	string	—	Search by organization name
status	string	—	active or disabled

Response 200 OK

{
  "success": true,
  "data": [
    {
      "id": "org_abc123",
      "name": "Hotel Sunrise",
      "status": "active",
      "userCount": 8,
      "createdAt": "2025-03-10T08:00:00.000Z"
    }
  ],
  "pagination": {
    "page": 1,
    "limit": 20,
    "total": 42,
    "pages": 3
  }
}

---

POST /api/admin/orgs

Create a new organization.

Field	Type	Required	Description
name	string	Yes	Organization name
email	string	Yes	Primary contact email

{
  "name": "Hotel Sunrise",
  "email": "contact@hotelsunrise.com"
}

Response 201 Created

{
  "success": true,
  "org": { "id": "org_abc123", "name": "Hotel Sunrise" }
}

---

GET /api/admin/orgs/:orgId

Fetch detailed information for a single organization.

Param	Type	Description
orgId	string	Organization ID

Response 200 OK

{
  "success": true,
  "org": {
    "id": "org_abc123",
    "name": "Hotel Sunrise",
    "status": "active",
    "userCount": 8,
    "bookingCount": 340,
    "createdAt": "2025-03-10T08:00:00.000Z"
  }
}

---

PATCH /api/admin/orgs/:orgId/disable

Disable an organization. All users under this org lose access.

Response 200 OK

{ "success": true, "message": "Organization disabled" }

---

PATCH /api/admin/orgs/:orgId/enable

Re-enable a previously disabled organization.

Response 200 OK

{ "success": true, "message": "Organization enabled" }

---

User Management

GET /api/admin/users

List all users across every organization.

Query Parameters

Param	Type	Default	Description
page	number	1	Page number
limit	number	20	Items per page
search	string	—	Search by name or email
status	string	—	active or deactivated

Response 200 OK

{
  "success": true,
  "data": [
    {
      "id": "usr_xyz789",
      "name": "John Doe",
      "email": "john@hotelsunrise.com",
      "orgId": "org_abc123",
      "status": "active",
      "role": "manager"
    }
  ],
  "pagination": { "page": 1, "limit": 20, "total": 256, "pages": 13 }
}

---

GET /api/admin/users/:userId

Get detailed user profile.

Response 200 OK

{
  "success": true,
  "user": {
    "id": "usr_xyz789",
    "name": "John Doe",
    "email": "john@hotelsunrise.com",
    "orgId": "org_abc123",
    "status": "active",
    "role": "manager",
    "lastLogin": "2026-02-20T14:30:00.000Z",
    "createdAt": "2025-05-01T09:00:00.000Z"
  }
}

---

PATCH /api/admin/users/:userId/deactivate

Deactivate a user account (revokes access).

Response 200 OK

{ "success": true, "message": "User deactivated" }

---

PATCH /api/admin/users/:userId/activate

Re-activate a deactivated user.

Response 200 OK

{ "success": true, "message": "User activated" }

---

Support Tickets

GET /api/admin/support/stats/overview

Support ticket statistics.

Response 200 OK

{
  "total": 87,
  "open": 12,
  "inProgress": 5,
  "resolved": 64,
  "closed": 6
}

---

GET /api/admin/support

List all support tickets with pagination.

Query Parameters

Param	Type	Default	Description
page	number	1	Page number
limit	number	20	Items per page
status	string	—	open, in_progress, resolved, closed

Response 200 OK

{
  "success": true,
  "data": [
    {
      "id": "tkt_001",
      "subject": "Cannot create booking",
      "status": "open",
      "priority": "high",
      "orgId": "org_abc123",
      "createdBy": "usr_xyz789",
      "createdAt": "2026-02-19T11:00:00.000Z"
    }
  ],
  "pagination": { "page": 1, "limit": 20, "total": 87, "pages": 5 }
}

---

GET /api/admin/support/:ticketId

Fetch a single ticket with its full conversation thread.

Response 200 OK

{
  "success": true,
  "ticket": {
    "id": "tkt_001",
    "subject": "Cannot create booking",
    "description": "Booking form throws an error when...",
    "status": "open",
    "priority": "high",
    "replies": [
      {
        "from": "admin",
        "message": "We are looking into this.",
        "createdAt": "2026-02-19T12:00:00.000Z"
      }
    ]
  }
}

---

PATCH /api/admin/support/:ticketId

Update ticket status or priority.

Field	Type	Required	Description
status	string	No	open, in_progress, resolved, closed
priority	string	No	low, medium, high, critical

{ "status": "in_progress", "priority": "critical" }

---

POST /api/admin/support/:ticketId/reply

Add a reply to a support ticket.

Field	Type	Required	Description
message	string	Yes	Reply content

{ "message": "We've deployed a fix. Please try again." }

---

Activity Logs

GET /api/admin/activity

List platform-wide activity logs with pagination.

Query Parameters

Param	Type	Default	Description
page	number	1	Page number
limit	number	50	Items per page

Response 200 OK

{
  "success": true,
  "data": [
    {
      "id": "act_001",
      "action": "org.created",
      "performedBy": "admin@example.com",
      "details": { "orgId": "org_abc123", "orgName": "Hotel Sunrise" },
      "timestamp": "2026-02-20T09:15:00.000Z"
    }
  ]
}

---

GET /api/admin/activity/recent

Fetch the most recent activity entries (last 20).

Response 200 OK — Same shape as above, limited to the 20 most recent entries.

---

Live Status

GET /api/admin/live/status

Real-time platform health overview.

Response 200 OK

{
  "uptime": "14d 6h 32m",
  "connectedSockets": 47,
  "activeOrgs": 38,
  "dbStatus": "healthy",
  "redisStatus": "connected"
}

---

Audit Logs (Platform-Level)

GET /api/admin/audit/logs

Retrieve audit logs across all organizations.

Query Parameters

Param	Type	Default	Description
page	number	1	Page number
limit	number	50	Items per page

---

GET /api/admin/audit/logs/:orgId

Retrieve audit logs scoped to a specific organization.

Param	Type	Description
orgId	string	Organization ID

---

GET /api/admin/audit/analytics

Audit analytics across all organizations (action counts, top actors, trends).

Response 200 OK

{
  "totalActions": 48320,
  "topActions": [
    { "action": "booking.created", "count": 12840 },
    { "action": "invoice.created", "count": 8920 }
  ],
  "topActors": [
    { "userId": "usr_xyz789", "name": "John Doe", "count": 3200 }
  ]
}

---

GET /api/admin/audit/analytics/:orgId

Audit analytics scoped to a single organization.

Param	Type	Description
orgId	string	Organization ID

Response — Same shape as the global analytics endpoint, filtered to the given org.

---

Error Responses

All endpoints return errors in a consistent format:

{
  "success": false,
  "message": "Descriptive error message"
}

Status	Meaning
400	Bad Request
401	Unauthorized
403	Forbidden
404	Not Found
500	Internal Server Error