Some API routes require a user session. When a request is made without a valid access token, the API can return an authorization-related response.
This page documents the behavior of the user settings endpoint.
- Access to an OpenOps deployment.
- An HTTP client (for example,
curl).
The user settings endpoint is mounted at:
GET /v1/users/me/settingsPUT /v1/users/me/settings
The route module registers the controller under the /v1/users/me/settings prefix.
The PUT /v1/users/me/settings route explicitly restricts access to a USER principal:
config: {
allowedPrincipals: [PrincipalType.USER],
}Requests without a valid access token do not have a USER principal.
The API authentication layer looks for an access token in either of these locations:
- Cookie named
token Authorizationheader in the formBearer <token>
This logic is implemented in AccessTokenAuthnHandler.
curl -i https://app.openops.com/api/v1/users/me/settingsRoute access checks are performed by the security handler chain:
- Authentication handlers populate
request.principal. - Authorization handlers validate
request.principal.typeagainst the route configuration.
If a request is missing a Bearer token (and has no token cookie), the request uses an UNKNOWN principal created by the anonymous authentication handler.