Admin Tools
Advanced admin endpoints for user impersonation, account lock management, collection maintenance, and cron job control.
Admin Tools
FastCMS provides a set of privileged admin-only endpoints for day-to-day operations, debugging, and maintenance. All endpoints require a valid admin token.
User Impersonation
Generate a short-lived token that lets you act as any user — useful for debugging, customer support, or reproducing issues without sharing credentials.
POST /api/v1/admin/users/{user_id}/impersonate
Authorization: Bearer ADMIN_TOKENQuery Parameters:
| Parameter | Default | Range | Description |
|---|---|---|---|
duration | 3600 | 60–86400 | Token lifetime in seconds |
Response:
{
"access_token": "eyJhbGc...",
"token_type": "bearer",
"expires_in": 3600,
"impersonated_user_id": "user-uuid",
"message": "Impersonation token issued. This token cannot be refreshed."
}Rules:
- Admins cannot impersonate themselves
- The issued token is non-renewable — no refresh token is returned
- The token expires at the configured duration regardless of activity
Example:
curl -X POST "http://localhost:8000/api/v1/admin/users/abc123/impersonate?duration=1800" \
-H "Authorization: Bearer ADMIN_TOKEN"Use the returned access_token as a normal bearer token for any API request.
Account Lock Management
Check Lock Status
GET /api/v1/admin/users/{user_id}/lock-status
Authorization: Bearer ADMIN_TOKEN{
"user_id": "user-uuid",
"is_locked": true,
"failed_login_attempts": 5,
"locked_until": "2026-03-02T12:30:00Z",
"remaining_seconds": 847
}Unlock an Account
Clear the lock immediately, restoring login access:
POST /api/v1/admin/users/{user_id}/unlock
Authorization: Bearer ADMIN_TOKENReturns the updated user object with failed_login_attempts: 0 and locked_until: null.
Collection Maintenance
Truncate a Collection
Delete all records in a collection without dropping the table or schema:
DELETE /api/v1/collections/name/{collection_name}/truncate
Authorization: Bearer ADMIN_TOKENExample:
curl -X DELETE http://localhost:8000/api/v1/collections/name/events/truncate \
-H "Authorization: Bearer ADMIN_TOKEN"This is useful for clearing test data, resetting staging environments, or bulk-removing stale records without modifying the collection schema.
Cron Job Management
FastCMS runs scheduled background tasks (cleanup, token expiry, metrics collection). You can inspect and manually trigger them from the admin API.
List Cron Jobs
GET /api/v1/admin/cron
Authorization: Bearer ADMIN_TOKEN{
"tasks": [
{
"name": "cleanup_expired_tokens",
"interval": "1h",
"last_run": "2026-03-02T10:00:00Z",
"status": "idle"
},
{
"name": "cleanup_expired_ip_rules",
"interval": "24h",
"last_run": "2026-03-02T00:00:00Z",
"status": "idle"
}
],
"total": 2
}Manually Trigger a Job
POST /api/v1/admin/cron/{task_name}/trigger
Authorization: Bearer ADMIN_TOKENcurl -X POST http://localhost:8000/api/v1/admin/cron/cleanup_expired_tokens/trigger \
-H "Authorization: Bearer ADMIN_TOKEN"{
"message": "Task 'cleanup_expired_tokens' triggered successfully"
}Triggering a job manually does not affect its scheduled interval — it will still run at its next scheduled time.