diff --git a/cmd/registry.go b/cmd/registry.go
index 37805054..cb19f486 100644
--- a/cmd/registry.go
+++ b/cmd/registry.go
@@ -14,7 +14,6 @@ import (
 	"github.com/containerish/OpenRegistry/registry/v2/extensions"
 	"github.com/containerish/OpenRegistry/router"
 	github_actions_server "github.com/containerish/OpenRegistry/services/kon/github_actions/v1/server"
-	"github.com/containerish/OpenRegistry/store/postgres"
 	store_v2 "github.com/containerish/OpenRegistry/store/v2"
 	"github.com/containerish/OpenRegistry/store/v2/automation"
 	"github.com/containerish/OpenRegistry/store/v2/emails"
@@ -77,14 +76,6 @@ func RunRegistryServer(ctx *cli.Context) {
 	logger := telemetry.ZLogger(fluentBitCollector, cfg.Environment)
 	e := echo.New()
 
-	pgStore, err := postgres.New(&cfg.StoreConfig)
-	if err != nil {
-		color.Red("ERR_PG_CONN: %s", err.Error())
-		return
-	}
-	defer pgStore.Close()
-	_ = pgStore
-
 	rawDB := store_v2.NewDB(cfg.StoreConfig, cfg.Environment)
 	registryStore := registry_store.NewStore(rawDB, logger)
 	usersStore := users.NewStore(rawDB, logger)
@@ -123,7 +114,7 @@ func RunRegistryServer(ctx *cli.Context) {
 	if cfg.Integrations.GetGithubConfig() != nil && cfg.Integrations.GetGithubConfig().Enabled {
 		ghApp, err := github.NewGithubApp(
 			cfg.Integrations.GetGithubConfig(),
-			pgStore,
+			usersStore,
 			logger,
 			cfg.WebAppConfig.AllowedEndpoints,
 			cfg.Environment,
@@ -140,7 +131,7 @@ func RunRegistryServer(ctx *cli.Context) {
 			&cfg.Registry.Auth,
 			logger,
 			buildAutomationStore,
-			pgStore,
+			usersStore,
 		)
 		go func() {
 			hostPort := fmt.Sprintf("%s:%d", ghConfig.Host, ghConfig.Port)
diff --git a/services/kon/github_actions/v1/server/interceptor.go b/services/kon/github_actions/v1/server/interceptor.go
index 6f6b3818..78015897 100644
--- a/services/kon/github_actions/v1/server/interceptor.go
+++ b/services/kon/github_actions/v1/server/interceptor.go
@@ -31,7 +31,7 @@ func NewGitHubAppUsernameInterceptor(
 				return nil, err
 			}
 
-			user, err := ghStore.GetUserById(ctx, userID, false, nil)
+			user, err := ghStore.GetUserByID(ctx, userID)
 			if err != nil {
 				logEvent.Str("error", err.Error()).Send()
 				return nil, connect.NewError(connect.CodeFailedPrecondition, err)
@@ -57,7 +57,7 @@ func PopulateContextWithUserInterceptor(
 				logEvent.Err(err).Send()
 				return nil, err
 			}
-			user, err := ghStore.GetUserById(ctx, userID, false, nil)
+			user, err := ghStore.GetUserByID(ctx, userID)
 			if err != nil {
 				logEvent.Err(err).Send()
 				return nil, connect.NewError(connect.CodeFailedPrecondition, err)
@@ -97,7 +97,7 @@ func (i *githubAppStreamingInterceptor) WrapUnary(next connect.UnaryFunc) connec
 			return nil, connect.NewError(connect.CodeUnauthenticated, err)
 		}
 
-		user, err := i.store.GetUserById(ctx, userID, false, nil)
+		user, err := i.store.GetUserByID(ctx, userID)
 		if err != nil {
 			logEvent.Str("error", err.Error()).Send()
 			return nil, connect.NewError(connect.CodeFailedPrecondition, err)
@@ -158,7 +158,7 @@ func (i *githubAppStreamingInterceptor) WrapStreamingHandler(
 			logEvent.Err(err).Send()
 			return connect.NewError(connect.CodeUnauthenticated, err)
 		}
-		user, err := i.store.GetUserById(ctx, userID, false, nil)
+		user, err := i.store.GetUserByID(ctx, userID)
 		if err != nil {
 			logEvent.Str("error", err.Error()).Send()
 			return connect.NewError(connect.CodeFailedPrecondition, err)
diff --git a/services/kon/github_actions/v1/server/interceptor_helpers.go b/services/kon/github_actions/v1/server/interceptor_helpers.go
index bebedd28..4d3cad0f 100644
--- a/services/kon/github_actions/v1/server/interceptor_helpers.go
+++ b/services/kon/github_actions/v1/server/interceptor_helpers.go
@@ -10,44 +10,49 @@ import (
 	"github.com/bufbuild/connect-go"
 	"github.com/containerish/OpenRegistry/auth"
 	"github.com/containerish/OpenRegistry/telemetry"
-	"github.com/fatih/color"
 	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
 )
 
-func getTokenFromReq(req connect.AnyRequest, jwtSigningPubKey *rsa.PublicKey) (string, error) {
+func getTokenFromReq(req connect.AnyRequest, jwtSigningPubKey *rsa.PublicKey) (uuid.UUID, error) {
 	token, err := tryTokenFromReqHeaders(req, jwtSigningPubKey)
 	if err != nil {
 		token, err = tryTokenFromReqCookies(req)
 		if err != nil {
-			return "", err
+			return uuid.Nil, fmt.Errorf("getTokenFromReq: tryTokenFromReqCookies: %w", err)
 		}
 	}
 
 	return token, nil
 }
 
-func tryTokenFromReqCookies(req connect.AnyRequest) (string, error) {
+func tryTokenFromReqCookies(req connect.AnyRequest) (uuid.UUID, error) {
 	tmpReq := http.Request{Header: req.Header()}
 	sessionCookie, err := tmpReq.Cookie("session_id")
 	if err != nil {
-		return "", err
+		return uuid.Nil, fmt.Errorf("tryTokenFromReqCookies: ERR_NO_COOKIE: %w", err)
 	}
 
 	sessionID, err := url.QueryUnescape(sessionCookie.Value)
 	if err != nil {
-		return "", err
+		return uuid.Nil, fmt.Errorf("tryTokenFromReqCookies: ERR_WRONG_ENCODING: %w", err)
 	}
 
-	return sessionID, nil
+	parsedID, err := uuid.Parse(sessionID)
+	if err != nil {
+		return uuid.Nil, fmt.Errorf("tryTokenFromReqCookies: ERR_UUID_PARSE: %w", err)
+	}
+
+	return parsedID, nil
 }
 
-func tryTokenFromReqHeaders(req connect.AnyRequest, jwtSigningPubKey *rsa.PublicKey) (string, error) {
+func tryTokenFromReqHeaders(req connect.AnyRequest, jwtSigningPubKey *rsa.PublicKey) (uuid.UUID, error) {
 	authToken := req.Header().Get("Authorization")
 	tokenParts := strings.Split(authToken, " ")
 	if len(tokenParts) == 2 {
 		if !strings.EqualFold(tokenParts[0], "Bearer") {
-			errMsg := fmt.Errorf("invalid authorization scheme")
-			return "", errMsg
+			errMsg := fmt.Errorf("tryTokenFromReqHeaders: invalid authorization scheme")
+			return uuid.Nil, errMsg
 		}
 
 		claims := &auth.Claims{}
@@ -55,65 +60,74 @@ func tryTokenFromReqHeaders(req connect.AnyRequest, jwtSigningPubKey *rsa.Public
 			return jwtSigningPubKey, nil
 		})
 		if err != nil {
-			return "", err
+			return uuid.Nil, fmt.Errorf("tryTokenFromReqHeaders: ERR_JWT_CLAIM_PARSE: %w", err)
 		}
 
 		claims, ok := token.Claims.(*auth.Claims)
 		if !ok {
-			return "", fmt.Errorf("error parsing claims from token")
+			return uuid.Nil, fmt.Errorf("tryTokenFromReqHeaders: error parsing claims from token")
 		}
 
-		return claims.Subject, nil
+		parsedID, err := uuid.Parse(claims.Subject)
+		if err != nil {
+			return uuid.Nil, fmt.Errorf("tryTokenFromReqHeaders: ERR_UUID_PARSE: %w", err)
+		}
+		return parsedID, nil
 	}
 
 	errMsg := fmt.Errorf("auth token contains invalid parts")
-	return "", errMsg
+	return uuid.Nil, errMsg
 }
 
 func getTokenFromConn(
 	conn connect.StreamingHandlerConn,
 	jwtSigningPubKey *rsa.PublicKey,
 	logger telemetry.Logger,
-) (string, error) {
+) (uuid.UUID, error) {
 	token, err := tryTokenFromConnHeaders(conn, jwtSigningPubKey, logger)
 	if err != nil {
 		token, err = tryTokenFromConnCookies(conn)
 		if err != nil {
-			return "", err
+			return uuid.Nil, err
 		}
 	}
 
 	return token, nil
 }
 
-func tryTokenFromConnCookies(conn connect.StreamingHandlerConn) (string, error) {
+func tryTokenFromConnCookies(conn connect.StreamingHandlerConn) (uuid.UUID, error) {
 	tmpReq := http.Request{Header: conn.RequestHeader()}
 	sessionCookie, err := tmpReq.Cookie("session_id")
 	if err != nil {
-		return "", err
+		return uuid.Nil, err
 	}
 
 	sessionID, err := url.QueryUnescape(sessionCookie.Value)
 	if err != nil {
-		return "", err
+		return uuid.Nil, err
 	}
 
-	return sessionID, nil
+	parsedID, err := uuid.Parse(sessionID)
+	if err != nil {
+		return uuid.Nil, fmt.Errorf("tryTokenFromConnCookies: ERR_UUID_PARSE: %w", err)
+	}
+
+	return parsedID, nil
 }
 
 func tryTokenFromConnHeaders(
 	conn connect.StreamingHandlerConn,
 	jwtSigningPubKey *rsa.PublicKey,
 	logger telemetry.Logger,
-) (string, error) {
+) (uuid.UUID, error) {
 	logEvent := logger.Debug().Str("procedure", conn.Spec().Procedure)
 	authToken := conn.RequestHeader().Get("Authorization")
 	tokenParts := strings.Split(authToken, " ")
 	if len(tokenParts) == 2 {
 		if !strings.EqualFold(tokenParts[0], "Bearer") {
-			errMsg := fmt.Errorf("invalid authorization scheme")
+			errMsg := fmt.Errorf("tryTokenFromConnHeaders: invalid authorization scheme")
 			logEvent.Err(errMsg).Send()
-			return "", errMsg
+			return uuid.Nil, errMsg
 		}
 
 		claims := &auth.Claims{}
@@ -122,27 +136,31 @@ func tryTokenFromConnHeaders(
 		})
 		if err != nil {
 			logEvent.Err(err).Send()
-			return "", err
+			return uuid.Nil, fmt.Errorf("tryTokenFromConnHeaders: ERR_JWT_CLAIM_PARSE: %w", err)
 		}
 
 		if !token.Valid {
-			errMsg := fmt.Errorf("JWT is invalid")
+			errMsg := fmt.Errorf("tryTokenFromConnHeaders: JWT is invalid")
 			logEvent.Err(errMsg).Send()
-			return "", errMsg
+			return uuid.Nil, errMsg
 		}
 
 		claims, ok := token.Claims.(*auth.Claims)
 		if !ok {
-			errMsg := fmt.Errorf("error parsing claims from token")
+			errMsg := fmt.Errorf("tryTokenFromConnHeaders: error parsing claims from token")
 			logEvent.Err(errMsg).Send()
-			return "", errMsg
+			return uuid.Nil, errMsg
+		}
+
+		parsedID, err := uuid.Parse(claims.Subject)
+		if err != nil {
+			return uuid.Nil, fmt.Errorf("tryTokenFromConnHeaders: ERR_UUID_PARSE: %w", err)
 		}
 
-		color.Yellow("claims from token: %#v", claims.Subject)
 		logEvent.Bool("success", true).Send()
-		return claims.Subject, nil
+		return parsedID, nil
 	}
-	errMsg := fmt.Errorf("invalid auth token")
+	errMsg := fmt.Errorf("tryTokenFromConnHeaders: invalid auth token")
 	logEvent.Err(errMsg).Send()
-	return "", errMsg
+	return uuid.Nil, errMsg
 }
diff --git a/services/kon/github_actions/v1/server/server.go b/services/kon/github_actions/v1/server/server.go
index 609ea7f6..aaec800c 100644
--- a/services/kon/github_actions/v1/server/server.go
+++ b/services/kon/github_actions/v1/server/server.go
@@ -10,7 +10,7 @@ import (
 	"github.com/containerish/OpenRegistry/config"
 	github_actions_v1 "github.com/containerish/OpenRegistry/services/kon/github_actions/v1"
 	connect_v1 "github.com/containerish/OpenRegistry/services/kon/github_actions/v1/github_actions_v1connect"
-	build_automation_store "github.com/containerish/OpenRegistry/store/postgres/build_automation"
+	"github.com/containerish/OpenRegistry/store/v2/automation"
 	"github.com/containerish/OpenRegistry/telemetry"
 	"github.com/containerish/OpenRegistry/vcs"
 	"github.com/fatih/color"
@@ -22,7 +22,7 @@ type GitHubActionsServer struct {
 	config              *config.Integration
 	github              *github.Client
 	transport           *ghinstallation.AppsTransport
-	store               build_automation_store.BuildAutomationStore
+	store               automation.BuildAutomationStore
 	activeLogStreamJobs map[string]*streamLogsJob
 	mu                  *sync.RWMutex
 }
@@ -36,7 +36,7 @@ func NewGithubActionsServer(
 	config *config.Integration,
 	authConfig *config.Auth,
 	logger telemetry.Logger,
-	store build_automation_store.BuildAutomationStore,
+	store automation.BuildAutomationStore,
 	ghStore vcs.VCSStore,
 ) *http.ServeMux {
 	if !config.Enabled {
diff --git a/vcs/github/github.go b/vcs/github/github.go
index 3eefdd48..6336e1cf 100644
--- a/vcs/github/github.go
+++ b/vcs/github/github.go
@@ -13,6 +13,7 @@ import (
 	"github.com/containerish/OpenRegistry/telemetry"
 	"github.com/containerish/OpenRegistry/vcs"
 	"github.com/google/go-github/v50/github"
+	"github.com/google/uuid"
 	"github.com/labstack/echo/v4"
 )
 
@@ -106,7 +107,15 @@ func (gh *ghAppService) getUsernameMiddleware() echo.MiddlewareFunc {
 				return echoErr
 			}
 			userID := strings.Split(sessionID, ":")[1]
-			user, err := gh.store.GetUserById(c.Request().Context(), userID, false, nil)
+			parsedID, err := uuid.Parse(userID)
+			if err != nil {
+				echoErr := c.JSON(http.StatusForbidden, echo.Map{
+					"error": err.Error(),
+				})
+				gh.logger.Log(c, err).Send()
+				return echoErr
+			}
+			user, err := gh.store.GetUserByID(c.Request().Context(), parsedID)
 			if err != nil {
 				echoErr := c.JSON(http.StatusNotAcceptable, echo.Map{
 					"error": err.Error(),
diff --git a/vcs/github/handlers.go b/vcs/github/handlers.go
index 01e81135..4661773f 100644
--- a/vcs/github/handlers.go
+++ b/vcs/github/handlers.go
@@ -61,7 +61,7 @@ func (gh *ghAppService) HandleAppFinish(ctx echo.Context) error {
 		}
 	}
 
-	if err = gh.store.UpdateUser(ctx.Request().Context(), user); err != nil {
+	if _, err = gh.store.UpdateUser(ctx.Request().Context(), user); err != nil {
 		echoErr := ctx.JSON(http.StatusBadRequest, echo.Map{
 			"error": err.Error(),
 		})
@@ -107,7 +107,7 @@ func (gh *ghAppService) HandleSetupCallback(ctx echo.Context) error {
 		InstallationID: installationID,
 	}
 
-	if err := gh.store.UpdateUser(ctx.Request().Context(), user); err != nil {
+	if _, err = gh.store.UpdateUser(ctx.Request().Context(), user); err != nil {
 		// if err := gh.store.UpdateInstallationID(ctx.Request().Context(), installationID, username); err != nil {
 		echoErr := ctx.JSON(http.StatusBadRequest, echo.Map{
 			"error": err.Error(),
diff --git a/vcs/vcs.go b/vcs/vcs.go
index 3ae90c7a..6f642240 100644
--- a/vcs/vcs.go
+++ b/vcs/vcs.go
@@ -4,7 +4,7 @@ import (
 	"context"
 
 	"github.com/containerish/OpenRegistry/store/v2/types"
-	pgx "github.com/jackc/pgx/v4"
+	"github.com/google/uuid"
 	"github.com/labstack/echo/v4"
 )
 
@@ -23,8 +23,8 @@ type VCS interface {
 }
 
 type VCSStore interface {
-	GetUserById(ctx context.Context, userId string, wihtPassword bool, txn pgx.Tx) (*types.User, error)
-	UpdateUser(ctx context.Context, u *types.User) error
+	GetUserByID(ctx context.Context, userId uuid.UUID) (*types.User, error)
+	UpdateUser(ctx context.Context, u *types.User) (*types.User, error)
 }
 
 type Repository struct {