# Phase 5 - API Endpoints (Profile Management)

Status: implemented  
Date: 2026-02-25

## Endpoints added

- `GET /auth/token-profiles`
  - Role: `viewer`+
  - Scope: current user only
  - Response: masked token only

- `POST /auth/token-profiles`
  - Role: `analyst`+
  - Create profile with sources and optional account presets

- `PATCH /auth/token-profiles/:id`
  - Role: `analyst`+
  - Partial update profile metadata/sources/presets

- `DELETE /auth/token-profiles/:id`
  - Role: `analyst`+
  - Delete owned profile

- `POST /auth/token-profiles/:id/set-default`
  - Role: `analyst`+
  - Set one profile as default
  - Also updates `last_used_at`

## Access control

- Endpoint requires authenticated login mode (`LOGIN_REQUIRED=true`).
- User can access only own profile data (`session.userId` boundary).
- If endpoint called in non-login public mode -> returns `LOGIN_REQUIRED`.

## Error payload shape

```json
{
  "ok": false,
  "error": "message",
  "errorCode": "ERROR_CODE"
}
```

## Security behavior

- Error messages pass through token redaction before response/log.
- Token values are never returned in plaintext via profile endpoints.

