Background
The frontend dashboard will have a profile/settings page where merchants can view and update their information. This requires a GET to load the current profile and a PATCH to update editable fields.
Proposed Steps
- Create
GET /merchants/me (protected) — returns the authenticated merchant's full profile
- Create
PATCH /merchants/me (protected) — accepts partial update of: firstName, lastName, businessName, category, description, logo, webhook
- Fields that cannot be changed via this endpoint:
address, email, merchantId, accountContract
- Add input validation for all fields (e.g.
webhook must be a valid HTTPS URL if provided)
- Return the updated merchant profile on
PATCH
Acceptance Criteria
GET /merchants/me returns the full profile of the authenticated merchant
PATCH /merchants/me with valid partial payload → 200 with updated profile
PATCH /merchants/me attempting to change address or email → those fields are silently ignored
- Invalid
webhook URL format → 400
- Unauthenticated request to either endpoint →
401
- Response shape never exposes internal fields (
emailOtp, apiKey hashes, etc.)
Background
The frontend dashboard will have a profile/settings page where merchants can view and update their information. This requires a
GETto load the current profile and aPATCHto update editable fields.Proposed Steps
GET /merchants/me(protected) — returns the authenticated merchant's full profilePATCH /merchants/me(protected) — accepts partial update of:firstName,lastName,businessName,category,description,logo,webhookaddress,email,merchantId,accountContractwebhookmust be a valid HTTPS URL if provided)PATCHAcceptance Criteria
GET /merchants/mereturns the full profile of the authenticated merchantPATCH /merchants/mewith valid partial payload →200with updated profilePATCH /merchants/meattempting to changeaddressoremail→ those fields are silently ignoredwebhookURL format →400401emailOtp,apiKeyhashes, etc.)