Accounts

Note

These APIs are not frozen and can change at any time without warning. See the API versions available for alternatives if you need stability. The only authentication method available at the moment is the internal one.

The following API endpoints cover a users account.

Account

This endpoint returns information about a user’s account, by the account id. Only developer accounts are publicly viewable - other user’s accounts will return a 404 not found response code. Most of the information is optional and provided by the user so may be missing or inaccurate.

A developer is defined as a user who is listed as a developer or owner of one or more approved add-ons.

GET /api/v5/accounts/account/(int:user_id|string:username)/

Response JSON Object:

• average_addon_rating (float) – The average rating for addons the developer has listed on the website.

• biography (string|null) – More details about the user.

• created (string) – The date when this user first logged in and created this account.

• has_anonymous_display_name (boolean) – The user hasn’t chosen a name.

• has_anonymous_username (boolean) – The user hasn’t chosen a username.

• homepage (string|null) – The user’s website.

• id (int) – The numeric user id.

• is_addon_developer (boolean) – The user has developed and listed add-ons on this website.

• is_artist (boolean) – The user has developed and listed themes on this website.

• location (string|null) – The location of the user.

• name (string) – The name chosen by the user, or the “Firefox user {id}” if not set.

• num_addons_listed (int) – The number of addons the developer has listed on the website.

• occupation (string|null) – The occupation of the user.

• picture_type (string|null) – the image type (only ‘image/png’ is supported) if a user photo has been uploaded, or null otherwise.

• picture_url (string|null) – URL to a photo of the user, or null if no photo has been uploaded.

• username (string) – deprecated property still included for backwards compatibility. Previous chosen by the user, used in the account url. If not previously set will be a randomly generated string.

If you authenticate and access your own account by specifing your own user_id the following additional fields are returned. You can always access your account, regardless of whether you are a developer or not. If you have Users:Edit permission you will see these extra fields for all user accounts.

GET /api/v5/accounts/account/(int:user_id|string:username)/

Response JSON Object:

• deleted (boolean) – Is the account deleted.

• display_name (string|null) – The name chosen by the user.

• email (string) – Email address used by the user to login and create this account.

• fxa_edit_email_url (string) – The configured URL for editing the user’s email on FxA.

• last_login (string) – The date of the last successful log in to the website.

• last_login_ip (string) – The IP address of the last successfull log in to the website.

• is_verified (boolean) – The user has been verified via FirefoxAccounts.

• permissions (array) – A list of the additional permissions this user has.

• read_dev_agreement (boolean) – The user has read, and agreed to, the developer agreement that is required to submit addons.

• site_status (object) – The site status - exposed here as a convenience to avoid an extra api call for logged in users.

Status Codes:

• 200 OK – account found.

• 400 Bad Request – an error occurred, check the error value in the JSON.

• 404 Not Found – no account with that user id.

Important

• Biography can contain HTML, or other unsanitized content, and it is the responsibiliy of the client to clean and escape it appropriately before display.

Permissions can be any arbritary string in the format app:action. Either app or action can be the wildcard *, so *:* means the user has permission to do all actions (i.e. full admin).

The following are some commonly tested permissions; see https://github.com/mozilla/addons-server/blob/master/src/olympia/constants/permissions.py for the full list.

Value	Description
Addons:Edit	Allows viewing and editing of any add-ons details in developer tools.
Addons:Review	Can access the add-on reviewer tools to approve/reject add-on submissions.
Addons:ThemeReview	Can access the theme reviewer tools to approve/reject theme submissions.

Profile

Note

This API requires authentication.

This endpoint is a shortcut to your own account. It returns an account object

GET /api/v5/accounts/profile/

Edit

Note

This API requires authentication and Users:Edit permission to edit accounts other than your own.

This endpoint allows some of the details for an account to be updated. Any fields in the account (or self) but not listed below are not editable and will be ignored in the patch request.

PATCH /api/v5/accounts/account/(int:user_id|string:username)/

Request JSON Object:

• biography (string|null) – More details about the user. No links are allowed.

• display_name (string|null) – The name chosen by the user. Minimum length is 2, maximum length is 50 characters, and must contain at least 1 displayable character.

• homepage (string|null) – The user’s website.

• location (string|null) – The location of the user.

• occupation (string|null) – The occupation of the user.

Uploading a picture

To upload a picture for the profile the request must be sent as content-type multipart/form-data instead of JSON. Images must be either PNG or JPG; the maximum file size is 4MB. Other editable values can be set at the same time.

PATCH /api/v5/accounts/account/(int:user_id|string:username)/

Request:

curl "https://addons.mozilla.org/api/v5/accounts/account/12345/"
    -g -XPATCH --form "picture_upload=@photo.png"
    -H "Authorization: JWT <token>"

Parameters:

• user-id – The numeric user id.

Form Parameters:

• picture_upload – The user’s picture to upload.

Request Headers:

• Content-Type – multipart/form-data

Deleting the picture

To delete the account profile picture call the special endpoint.

DELETE /api/v5/accounts/account/(int:user_id|string:username)/picture

Delete

Note

This API requires authentication and Users:Edit permission to delete accounts other than your own.

This endpoint allows the account to be deleted. The data will be permanently removed, including profile details (picture, user name, display name, location, home page, biography, occupation), notification preferences, reviews, and collections. If the user authored any add-ons they will also be deleted, unless ownership is shared with other authors. In that case, the user will be removed as an author and the remaining authors will maintain ownership of the add-on.

DELETE /api/v5/accounts/account/(int:user_id|string:username)/

Notifications List

Note

This API requires authentication and Users:Edit permission to list notifications on accounts other than your own.

This endpoint allows you to list the account notifications set for the specified user. The result is an unpaginated list of the fields below. There are currently 10 notification types.

GET /api/v5/accounts/account/(int:user_id|string:username)/notifications/

Response JSON Object:

• name (string) – The notification short name.

• enabled (boolean) – If the notification is enabled (defaults to True).

• mandatory (boolean) – If the notification can be set by the user.

Notifications Update

Note

This API requires authentication and Users:Edit permission to set notification preferences on accounts other than your own.

This endpoint allows account notifications to be set or updated. The request should be a dict of name:True|False pairs. Any number of notifications can be changed; only non-mandatory notifications can be changed - attempting to set a mandatory notification will return an error.

POST /api/v5/accounts/account/(int:user_id|string:username)/notifications/

Request JSON Object:

• <name> (boolean) – Is the notification enabled?

Notification Unsubscribe

This special endpoint is used to handle notification update requests coming from email unsubscribe links. Only a single notification can be changed, and it will always be updated to enabled = False. Only non-mandatory notifications can be changed - attempting to set a mandatory notification will return an error.

POST /api/v5/accounts/unsubscribe/

Request JSON Object:

• hash (string) – The generated hash of the token

• notification (string) – The short name of the notification that should be disabled

• token (string) – The base64 encoded email address of the account

Response JSON Object:

• name (string) – The notification short name.

• enabled (boolean) – If the notification is enabled (should always be False).

• mandatory (boolean) – If the notification can be set by the user (should always be False, or an error would have been sent instead).

Super-creation

Note

This API requires authentication.

This allows you to generate a new user account and sign in as that user.

Important

• Your API user must be in the Accounts:SuperCreate group to access this endpoint. Use manage.py createsuperuser --add-to-supercreate-group to create a superuser with proper access.

• This endpoint is not available in all API environments.

POST /api/v5/accounts/super-create/

Request:

Parameters:

• email – assign the user a specific email address. A fake email will be assigned by default.

• username – assign the user a specific username. A random username will be assigned by default.

• fxa_id – assign the user a Firefox Accounts ID, like one returned in the uuid parameter of a profile request. This is empty by default, meaning the user’s account will need to be migrated to a Firefox Account.

• group –

  assign the user to a permission group. Valid choices:

  • reviewer: can access add-on reviewer pages, formerly known as Editor Tools

  • admin: can access any protected page

curl "https://addons.mozilla.org/api/v5/accounts/super-create/" \
    -X POST -H "Authorization: JWT <jwt-token>"

Response:

{
    "username": "super-created-7ee304ce",
    "display_name": "Super Created 7ee304ce",
    "user_id": 10985,
    "email": "super-created-7ee304ce@addons.mozilla.org",
    "fxa_id": null,
    "groups": [],
    "session_cookie": {
        "encoded": "sessionid=.eJyrVopPLC3JiC8tTi2KT...",
        "name": "sessionid",
        "value": ".eJyrVopPLC3JiC8tTi2KT..."
    }
}

Status Codes:

• 201 Created – Account created.

• 422 Unprocessable Entity – Incorrect request parameters.

The session cookie will enable you to sign in for a limited time as this new user. You can pass it to any login-protected view like this:

curl --cookie sessionid=... -s -D - \
    "https://addons.mozilla.org/en-US/developers/addon/submit/1" \
    -o /dev/null

Session

Log out of the current session. This is for use with the internal authentication that authenticates browser sessions.

DELETE /api/v5/accounts/session/

Request:

curl "https://addons.mozilla.org/api/v5/accounts/session/"
    -H "Authorization: Session <sessionid>" -X DELETE

Response:

{
    "ok": true
}

Status Codes:

• 200 OK – session logged out.

• 401 Unauthorized – authentication failed.