Setup POS statistics reveal password (v1)
Method & Path
POST /v1/workspace/:workspaceId/pos/stats-reveal/setup
Description
Sets a dedicated bcrypt-hashed password used only to reveal POS day statistics (sales, discounts, COGS, profit) in the client UI. This is not the workspace login password. Call once per workspace; if a password is already configured, the API returns 409 Conflict.
Authentication
Required: Workspace JWT (Authorization: Bearer …).
Persona: Workspace Owner only — requests must not include X-Staff-Id (same pattern as opening/closing the POS business day).
Permission: store.orders.manage (enforced with owner context).
Headers
| Header | Required | Description |
|---|---|---|
Authorization | Yes | Bearer <workspace_token> |
Content-Type | Yes | application/json |
Path parameters
| Name | Type | Required | Description |
|---|---|---|---|
workspaceId | string | Yes | Workspace ID |
Request body
| Field | Type | Required | Description |
|---|---|---|---|
password | string | Yes | 6–128 characters (trimmed) |
confirmPassword | string | Yes | Must match password |
{
"password": "your-secret-pos-stats",
"confirmPassword": "your-secret-pos-stats"
}
Response 201 Created
{ "ok": true }
Common errors
- 400 Bad Request: Invalid body, password length, or passwords do not match.
- 401 Unauthorized: Missing or invalid token.
- 403 Forbidden: Staff token used (owner-only route).
- 403 Forbidden: Missing
store.orders.manage. - 404 Not Found: Workspace not found.
- 409 Conflict: Statistics reveal password already configured.