Skip to main content

Update Profile

PATCH/api/v1/users/me

Updates fields on the authenticated patient's own profile. Partial update — all fields optional. Self-only. Returns the full updated profile, not a diff.

cv-api-key + Bearer accessToken
Productionhttps://api.care360-next.carevalidate.com/api/v1/users/me
Staginghttps://api-staging.care360-next.carevalidate.com/api/v1/users/me
note

The body must contain at least one recognized field. Unknown body keys are silently dropped. Pass null to clear nullable fields. Omitting a field leaves it unchanged.

Headers

Headers
cv-api-keystringrequired

Your unique API key for authentication.

Authorizationstringrequired

Bearer access token from /verify-otp.

Example: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9...
Content-Typestringrequired

Must be application/json.

Request Body

Identity Fields (restricted while active cases exist)
firstNamestringoptional

Patient's first name. Min length 1. Cannot be updated while the patient has active cases in the calling organization.

lastNamestringoptional

Patient's last name. Min length 1. Cannot be updated while the patient has active cases in the calling organization.

dobstringoptional

Date of birth in YYYY-MM-DD format. Server converts to a Date and returns ISO-8601. Cannot be updated while the patient has active cases.

Example: 1990-05-15
genderstringoptional

Gender enum (case-sensitive). Cannot be updated while the patient has active cases.

Values:MALEFEMALEOTHER
Contact and Address Fields
phoneNumberstringoptional

Patient's phone number. (PATCH does not enforce E.164 — the field is accepted as-is.)

Example: +15551234567
addressstring | nulloptional

Street address line 1. Pass null to clear.

address2string | nulloptional

Street address line 2. Pass null to clear.

citystring | nulloptional

City. Pass null to clear.

statestringoptional

State / region.

countrystringoptional

2-letter ISO 3166-1 alpha-2 code. Server uppercases on write — "us" is accepted and stored as "US".

Example: US
postalCodestring | nulloptional

Postal code. Pass null to clear.

Health Fields
allergiesstring | nulloptional

Free-text allergies. Pass null to clear.

healthConditionsstring | nulloptional

Free-text health conditions. Pass null to clear.

currentMedicationsstring | nulloptional

Free-text current medications. Pass null to clear.

caution

The email field is read-only via this endpoint and is not in the schema. Unknown body keys (including email) are silently dropped.

The Active-Case Rule

If the request includes any of firstName, lastName, dob, gender, the server checks whether the patient has any active cases in the calling organization. Active statuses are: Approved, Assigned, InProgress, NoDecision, Rejected. (Statuses outside that list — notably Open — are not active.)

When the rule fires, no fields are updated — including the non-restricted fields in the same body. Surface a clear "complete or close active cases first" message and let the user retry without those four fields.

Behavior

  1. Auth middleware authenticates and attaches req.patientUser and req.patientOrganization.
  2. Body is parsed by ProfileUpdateSchema. country is uppercased; unknown keys are dropped.
  3. If any restricted field is present, the active-case check runs. On failure the request fails atomically — no fields are written.
  4. dob (YYYY-MM-DD) is converted to a Date if present.
  5. A single prisma.user.update applies all recognized fields.
  6. The updated User row is mapped to the full profile shape and returned.

Example Requests

curl -X PATCH '<BASE_URL>/api/v1/users/me' \
-H 'cv-api-key: <redacted>' \
-H 'Authorization: Bearer <accessToken>' \
-H 'Content-Type: application/json' \
-d '{
  "address": "123 Main St",
  "city": "New York",
  "state": "NY",
  "country": "us",
  "postalCode": "10001",
  "allergies": "Penicillin"
}'

Responses

200SuccessReturns the full updated profile, not a diff. Replace the local profile object on success.
{
  "status": 200,
  "success": true,
  "data": {
    "profile": {
      "id": "550e8400-e29b-41d4-a716-446655440000",
      "email": "patient@example.com",
      "firstName": "Jane",
      "lastName": "Doe",
      "phoneNumber": "+15551234567",
      "dob": "1990-05-15T00:00:00.000Z",
      "gender": "FEMALE",
      "address": "123 Main St",
      "address2": null,
      "city": "New York",
      "state": "NY",
      "country": "US",
      "postalCode": "10001",
      "allergies": "Penicillin",
      "healthConditions": "Asthma",
      "currentMedications": "Albuterol",
      "createdAt": "2025-08-01T12:34:56.000Z"
    }
  }
}
400Validation errorcv-api-key missing, body fails Zod (e.g. dob not YYYY-MM-DD, gender not in enum, country length not 2, firstName/lastName empty).
{
  "status": 400,
  "success": false,
  "error": "Validation failed",
  "code": "VALIDATION_ERROR"
}
400Active-case ruleBody included firstName, lastName, dob, or gender while the patient has active cases in the calling organization. No fields were updated.
{
  "status": 400,
  "success": false,
  "error": "Cannot update firstName, lastName, dob, or gender while you have active cases",
  "code": "VALIDATION_ERROR"
}
401Authentication failureAuthorization header missing/malformed; JWT invalid/expired; wrong type; org mismatch; or the user no longer exists.
{
  "status": 401,
  "success": false,
  "error": "Invalid or expired token",
  "code": "VALIDATION_ERROR"
}
404Patient not foundDefensive — the user record was missing when the handler ran.
{
  "status": 404,
  "success": false,
  "error": "Patient not found",
  "code": "VALIDATION_ERROR"
}

Try It Out