One centralized user profile — name, email, avatar, gender, date of birth, and phone — shared across every Misar product.

The Profile API is the single source of truth for a user's personal details across the Misar ecosystem. MisarMail, MisarReach, and every other Misar product read profile fields — especially the avatar — live from this centralized store instead of stale local auth metadata. Profile edits happen in one place: www.misar.io/account.

What's included:

Get Profile

Read the full profile, including the profile_complete flag.

Update Profile

Edit name, gender, date of birth, and phone. Email is read-only.

Upload Avatar

Upload a profile picture — the single source of truth for all products.

Errors

Validation and auth error shapes.

Base URL

All Profile endpoints are served under:

https://api.misar.io/io/profile

Fields

Field	Type	Editable	Notes
`id`	string (uuid)	—	Central user id
`email`	string	❌ read-only	Managed by auth
`username`	string \| null	—	Derived handle
`display_name`	string \| null	✅	1–100 chars
`avatar_url`	string \| null	via upload	See Upload Avatar
`gender`	string \| null	✅	One of `male`, `female`, `non_binary`, `prefer_not_to_say`, `other`
`date_of_birth`	string \| null	✅	`YYYY-MM-DD`; age 13–120
`phone`	string \| null	✅	Optional; `5–30` chars matching `[+()\-\s\d]`
`profile_complete`	boolean	—	`true` when both `gender` and `date_of_birth` are set

Mandatory fields

gender and date_of_birth are mandatory. Until both are set, profile_complete is false and products hard-gate the user to the completion form at www.misar.io/account?complete=1&returnTo=….

Authentication

Three auth modes are supported:

Mode	Header	Use case
SSO bearer	`Authorization: Bearer <access_token>`	First-party misar.io UI
Session cookie	first-party Supabase cookie	Same-origin `www.misar.io` requests
Service key	`x-profile-service-key: <key>` + `?user_id=<uuid>`	Server-to-server (MisarMail, MisarReach)

See Authentication for details.

Central Profile