# Profile Picture

Fetch the authenticated user's profile picture. The endpoint redirects to the actual image URL.

---

## Endpoint

```
GET https://fahipay.mv/images/profiles/picture/?t={timestamp}
```

---

## Prerequisites

- Valid `authID` from [login](01-login.md) or [OTP](02-otp.md)
- Valid `__Secure-sess` session cookie

---

## Request

### Headers

| Header | Value |
|---|---|
| `authid` | `xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx` |
| `User-Agent` | `okhttp/4.12.0` |
| `Accept-Encoding` | `gzip` |
| `Connection` | `Keep-Alive` |
| `Cookie` | `__Secure-sess=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx` |

### Query Parameters

| Parameter | Description | Example |
|---|---|---|
| `t` | Cache-busting timestamp string | `Sat May 16 2026 14:57:52 GMT+0500` |

The `t` parameter is a URL-encoded timestamp used to prevent browser caching. The value can be any string — the server ignores it for routing purposes.

---

## curl Example

```bash
curl --request GET \
  --url 'https://fahipay.mv/images/profiles/picture/?t=Sat%20Jan%2001%202026%2012:00:00%20GMT+0500' \
  --compressed \
  --header 'Accept-Encoding: gzip' \
  --header 'Connection: Keep-Alive' \
  --header 'Cookie: __Secure-sess=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
  --header 'User-Agent: okhttp/4.12.0' \
  --header 'authid: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
```

---

## Response

### Success

The server responds with `HTTP 302` and a `Location` header pointing to the actual image URL.

```
HTTP/1.1 302 Found
Location: https://fahipay.mv/images/profiles/0000/avatar.jpg?v=0000000000
```

Follow the redirect to download the image. The final response is the raw image bytes (`image/jpeg` or `image/png`).

---

### No Picture Set

If the user has not uploaded a profile picture, the redirect points to a default placeholder image:

```
Location: https://fahipay.mv/images/profiles/default.png
```

---

### Error

If the session is invalid, the server returns `HTTP 401` or redirects to an error page.

---

## Implementation Notes

- HTTP clients that follow redirects automatically (e.g. `OkHttpClient` with `followRedirects(true)`) will return the image bytes directly.
- Use `followRedirects(false)` and read the `Location` header if you need the resolved image URL separately.
- The image URL contains the user's `profileID` in the path — this matches the `profileID` field from the [profile response](03-profile.md).
- The `v=` query parameter in the image URL is a version/cache key. It changes when the user updates their picture.

---

## Suggested Usage

```
timestamp = current time formatted as URL-safe string
GET /images/profiles/picture/?t={timestamp}
  → 302 Location: <image URL>
  → GET <image URL>
  → image bytes
```

Cache the downloaded image by `profileID` and re-fetch when the user explicitly refreshes, rather than on every app launch.

---

&nbsp;

---

[← Transaction History](05-history.md)