diff --git a/src/plugins/api/apps.ts b/src/plugins/api/apps.ts
index 570dea3..0550b1e 100644
--- a/src/plugins/api/apps.ts
+++ b/src/plugins/api/apps.ts
@@ -15,7 +15,7 @@ import { appSchema, errorSchema } from '../../schemas'
 import { getUsers, userIdIsValid, userIsValid } from '../../lib/collections'
 import { generateString } from '../../lib/crypto'
 import { containerFor, getItem, normalize, queryItems, createQuerySpec } from '../../lib/database'
-import { unauthorizedError, serverError, badRequestError, notFoundError } from '../../lib/errors'
+import { unauthorizedError, serverError, badRequestError, notFoundError, forbiddenError } from '../../lib/errors'
 import { attachMedia, deleteMedia } from '../../lib/media'
 import { createInstallationId } from '../../lib/utils'
 
@@ -466,7 +466,7 @@ function getRoute(server: FastifyInstance<Server, IncomingMessage, ServerRespons
 
     const options: RouteShorthandOptions = {
         schema: {
-            description: 'Get App.',
+            description: 'Get an App.',
             tags: ['app'],
             params: {
                 type: 'object',
@@ -548,7 +548,7 @@ function installRoute(server: FastifyInstance<Server, IncomingMessage, ServerRes
         if (!app) return notFoundError(reply)
 
         const { resource: viewer } = await viewerItem.read<User>()
-        if (!userIsValid(viewer)) return unauthorizedError(reply)
+        if (!userIsValid(viewer)) return forbiddenError(reply)
 
         const installations = await queryItems<Installation>({
             container: appContainer,
@@ -635,7 +635,7 @@ function uninstallRoute(server: FastifyInstance<Server, IncomingMessage, ServerR
         if (!app) return notFoundError(reply)
 
         const { resource: viewer } = await viewerItem.read<User>()
-        if (!userIsValid(viewer)) return unauthorizedError(reply)
+        if (!userIsValid(viewer)) return forbiddenError(reply)
 
         const installations = await queryItems<Installation>({
             container: appContainer,
@@ -716,7 +716,7 @@ function installationsRoute(server: FastifyInstance<Server, IncomingMessage, Ser
         })
 
         if (!viewer) return unauthorizedError(reply)
-        if (!userIsValid(viewer)) return unauthorizedError(reply)
+        if (!userIsValid(viewer)) return forbiddenError(reply)
 
         const container = containerFor(server.database.client, 'Apps')
 
diff --git a/src/plugins/api/authentication.ts b/src/plugins/api/authentication.ts
index 3d50937..a5614ba 100644
--- a/src/plugins/api/authentication.ts
+++ b/src/plugins/api/authentication.ts
@@ -10,7 +10,7 @@ import {
 
 import { Server, IncomingMessage, ServerResponse } from 'http'
 
-import { MIN_ID_LENGTH, MAX_ID_LENGTH, MAX_NAME_LENGTH, MIN_PASSWORD_LENGTH, INSTALLATION_PARTITION_KEY } from '../../constants'
+import { MIN_ID_LENGTH, MAX_ID_LENGTH, MAX_NAME_LENGTH, MIN_PASSWORD_LENGTH, INSTALLATION_PARTITION_KEY, APP_PARTITION_KEY } from '../../constants'
 import { tokenResponseSchema, selfSchema, errorSchema } from '../../schemas'
 import { createAccessToken, createRefreshToken } from '../../lib/authentication'
 import { getUser, getUserIdFromEmail, getUserIdFromPhone } from '../../lib/collections'
@@ -164,7 +164,7 @@ function registerRoute(server: FastifyInstance<Server, IncomingMessage, ServerRe
 
         const apps = await queryItems<App>({
             container: appContainer,
-            query: 'SELECT * FROM Apps a WHERE a.active = true AND a.preinstall = true',
+            query: `SELECT * FROM Apps a WHERE a.pk = '${APP_PARTITION_KEY}' AND a.active = true AND a.preinstall = true`,
             logger: request.log,
         })
 
diff --git a/src/plugins/api/groups.ts b/src/plugins/api/groups.ts
index b95e803..f303b2e 100644
--- a/src/plugins/api/groups.ts
+++ b/src/plugins/api/groups.ts
@@ -783,7 +783,7 @@ function createInvitationRoute(server: FastifyInstance<Server, IncomingMessage,
         },
     }
 
-    server.post<DefaultQuery, DefaultParams, DefaultHeaders, Body>('/v1/group/:id/invitation', options, async (request, reply) => {
+    server.post<DefaultQuery, DefaultParams, DefaultHeaders, Body>('/v1/group/invitation', options, async (request, reply) => {
         if (!server.database) return serverError(reply)
         if (!request.viewer) return unauthorizedError(reply)
 
@@ -792,7 +792,7 @@ function createInvitationRoute(server: FastifyInstance<Server, IncomingMessage,
 
         const container = containerFor(server.database.client, 'Groups')
 
-        const group = await getItem<Group>({ container, id: request.params.id })
+        const group = await getItem<Group>({ container, id: membership.pk })
         if (!group) return notFoundError(reply)
 
         const code = createInvitationCode()
@@ -867,7 +867,7 @@ function invitationsRoute(server: FastifyInstance<Server, IncomingMessage, Serve
         },
     }
 
-    server.get<Query, DefaultParams, DefaultHeaders, DefaultBody>('/v1/group/:id/invitations', options, async (request, reply) => {
+    server.get<Query, DefaultParams, DefaultHeaders, DefaultBody>('/v1/group/invitations', options, async (request, reply) => {
         if (!server.database) return serverError(reply)
         if (!request.viewer) return unauthorizedError(reply)
 
@@ -876,7 +876,7 @@ function invitationsRoute(server: FastifyInstance<Server, IncomingMessage, Serve
 
         const container = containerFor(server.database.client, 'Groups')
 
-        const group = await getItem<Group>({ container, id: request.params.id })
+        const group = await getItem<Group>({ container, id: membership.pk })
         if (!group) return notFoundError(reply)
 
         const { continuation } = request.query
@@ -948,7 +948,7 @@ function logsRoute(server: FastifyInstance<Server, IncomingMessage, ServerRespon
         },
     }
 
-    server.get<Query, DefaultParams, DefaultHeaders, DefaultBody>('/v1/group/:id/logs', options, async (request, reply) => {
+    server.get<Query, DefaultParams, DefaultHeaders, DefaultBody>('/v1/group/logs', options, async (request, reply) => {
         if (!server.database) return serverError(reply)
         if (!request.viewer) return unauthorizedError(reply)
 
@@ -957,7 +957,7 @@ function logsRoute(server: FastifyInstance<Server, IncomingMessage, ServerRespon
 
         const container = containerFor(server.database.client, 'Groups')
 
-        const group = await getItem<Group>({ container, id: request.params.id })
+        const group = await getItem<Group>({ container, id: membership.pk })
         if (!group) return notFoundError(reply)
 
         const { continuation } = request.query
diff --git a/src/plugins/api/media.ts b/src/plugins/api/media.ts
index 6f26497..da5f748 100644
--- a/src/plugins/api/media.ts
+++ b/src/plugins/api/media.ts
@@ -106,7 +106,7 @@ function addRoute(server: FastifyInstance<Server, IncomingMessage, ServerRespons
 }
 
 function deleteRoute(server: FastifyInstance<Server, IncomingMessage, ServerResponse>) {
-    interface Body {
+    interface Params {
         name: string
     }
 
@@ -114,7 +114,7 @@ function deleteRoute(server: FastifyInstance<Server, IncomingMessage, ServerResp
         schema: {
             description: 'Delete a media item.',
             tags: ['media'],
-            body: {
+            querystring: {
                 type: 'object',
                 required: ['name'],
                 properties: {
@@ -131,10 +131,10 @@ function deleteRoute(server: FastifyInstance<Server, IncomingMessage, ServerResp
         },
     }
 
-    server.post<DefaultQuery, DefaultParams, DefaultHeaders, Body>('/v1/media/delete', options, async (request, reply) => {
+    server.delete<DefaultQuery, Params, DefaultHeaders, DefaultBody>('/v1/media', options, async (request, reply) => {
         if (!server.database) return serverError(reply)
 
-        const mediaItem = containerFor(server.database.client, 'Media').item(request.body.name, MEDIA_PARTITION_KEY)
+        const mediaItem = containerFor(server.database.client, 'Media').item(request.query.name, MEDIA_PARTITION_KEY)
         const { resource: media } = await mediaItem.read<Media>()
 
         if (!media) return badRequestError(reply)
diff --git a/src/plugins/api/posts.ts b/src/plugins/api/posts.ts
index 6403453..dc62ace 100644
--- a/src/plugins/api/posts.ts
+++ b/src/plugins/api/posts.ts
@@ -375,7 +375,7 @@ function postsByUserRoute(server: FastifyInstance<Server, IncomingMessage, Serve
 
                 const viewer = await getItem<User>({ container: userContainer, id: request.viewer.id })
                 if (!viewer) return serverError(reply)
-                if (!viewer.groupId) return unauthorizedError(reply)
+                if (!userIsValid(viewer)) return forbiddenError(reply)
 
                 const subscriptions = await getApprovedSubscriptions(server.database.client, user.id, request.viewer.id, request.log)
                 if (viewer.groupId !== user.groupId && subscriptions.length === 0) return unauthorizedError(reply)
@@ -387,9 +387,9 @@ function postsByUserRoute(server: FastifyInstance<Server, IncomingMessage, Serve
         if (request.viewer) {
             const viewer = await getItem<User>({ container: userContainer, id: request.viewer.id })
             if (!viewer) return serverError(reply)
-            if (!viewer.groupId) return unauthorizedError(reply)
+            if (!userIsValid(viewer)) return forbiddenError(reply)
 
-            const blocks = await getUserBlocks(server.database.client, user.id, [viewer.id, viewer.groupId], request.log)
+            const blocks = await getUserBlocks(server.database.client, user.id, [viewer.id, viewer.groupId!], request.log)
             if (blocks.length > 0) return unauthorizedError(reply)
         }
 
@@ -575,7 +575,7 @@ function postRoute(server: FastifyInstance<Server, IncomingMessage, ServerRespon
         if (request.viewer) {
             const viewer = await getItem<User>({ container: containerFor(server.database.client, 'Users'), id: request.viewer.id })
             if (!viewer) return serverError(reply)
-            if (!viewer.groupId) return unauthorizedError(reply)
+            if (!userIsValid(viewer)) return forbiddenError(reply)
 
             const blockQuery = createQuerySpec(`
                 SELECT g.userId FROM Groups g WHERE
@@ -585,7 +585,7 @@ function postRoute(server: FastifyInstance<Server, IncomingMessage, ServerRespon
                     ARRAY_CONTAINS(@ids, g.userId)
             `, {
                 viewer: viewer.id,
-                viewerGroup: viewer.groupId,
+                viewerGroup: viewer.groupId!,
                 ids: userIds,
                 type: GroupItemType.Block,
             })
diff --git a/src/plugins/api/users.ts b/src/plugins/api/users.ts
index 8a8cb0f..b68345c 100644
--- a/src/plugins/api/users.ts
+++ b/src/plugins/api/users.ts
@@ -10,8 +10,8 @@ import {
 
 import { Server, IncomingMessage, ServerResponse } from 'http'
 
-import { unauthorizedError, serverError, notFoundError, badRequestError, badRequestFormError } from '../../lib/errors'
-import { getUserBlocks, getUser, getUserIdFromPhone, getUserIdFromEmail } from '../../lib/collections'
+import { unauthorizedError, serverError, notFoundError, badRequestError, badRequestFormError, forbiddenError } from '../../lib/errors'
+import { getUserBlocks, getUser, getUserIdFromPhone, getUserIdFromEmail, userIsValid } from '../../lib/collections'
 import { containerFor, createQuerySpec, queryItems, getItem, normalize } from '../../lib/database'
 import { deleteMedia, attachMedia } from '../../lib/media'
 
@@ -140,6 +140,7 @@ function updateRoute(server: FastifyInstance<Server, IncomingMessage, ServerResp
         const { resource: viewer } = await viewerItem.read<User>()
 
         if (!viewer) return serverError(reply)
+        if (!userIsValid(viewer)) return forbiddenError(reply)
 
         const {
             name,
@@ -253,9 +254,9 @@ function getRoute(server: FastifyInstance<Server, IncomingMessage, ServerRespons
         if (request.viewer && request.viewer.id !== user.id) {
             const viewer = await getItem<User>({ container: userContainer, id: request.viewer.id })
             if (!viewer) return serverError(reply)
-            if (!viewer.groupId) return unauthorizedError(reply)
+            if (!userIsValid(viewer)) return forbiddenError(reply)
 
-            const blocks = await getUserBlocks(server.database.client, user.id, [viewer.id, viewer.groupId], request.log)
+            const blocks = await getUserBlocks(server.database.client, user.id, [viewer.id, viewer.groupId!], request.log)
             if (blocks.length > 0) return unauthorizedError(reply)
 
             const subscription = (await queryItems<UserSubscription>({
@@ -331,7 +332,7 @@ function subscribeRoute(server: FastifyInstance<Server, IncomingMessage, ServerR
         if (!server.database) return serverError(reply)
         if (!request.viewer) return unauthorizedError(reply)
 
-        if (request.viewer.id === request.params.id) return badRequestError(reply)
+        if (request.viewer.id === request.params.id) return badRequestError(reply, 'Cannot subscribe to self')
 
         const userContainer = containerFor(server.database.client, 'Users')
         const user = await getItem<User>({ container: userContainer, id: request.params.id })
@@ -339,7 +340,7 @@ function subscribeRoute(server: FastifyInstance<Server, IncomingMessage, ServerR
 
         if (!user) return notFoundError(reply)
         if (!viewer) return serverError(reply)
-        if (!viewer.groupId) return unauthorizedError(reply)
+        if (!userIsValid(viewer)) return forbiddenError(reply)
 
         const subscriptionQuery = createQuerySpec(`SELECT u.id FROM Users u WHERE u.id = @user AND u.pk = @viewer AND u.t = @type`, {
             user: user.id,
@@ -370,14 +371,14 @@ function subscribeRoute(server: FastifyInstance<Server, IncomingMessage, ServerR
                 (g.blockedId = @viewer OR g.blockedId = @viewerGroup)
         `, {
             user: user.id,
-            viewerGroup: viewer.groupId,
+            viewerGroup: viewer.groupId!,
             type: GroupItemType.Block,
         })
 
         const blocks = await queryItems<GroupBlock>({
             container: containerFor(server.database.client, 'Groups'),
             query: blockQuery,
-            logger: request.log
+            logger: request.log,
         })
 
         if (blocks.length > 0) return badRequestError(reply, 'Invalid operation')
@@ -563,7 +564,7 @@ function unblockRoute(server: FastifyInstance<Server, IncomingMessage, ServerRes
 
         const user = await getItem<User>({ container: userContainer, id: request.params.id })
         if (!user) return notFoundError(reply)
-        if (!user.groupId) return badRequestError(reply, 'Invalid operation')
+        if (!user.groupId) return badRequestError(reply)
 
         const userBlockQuery = createQuerySpec(`SELECT u.id FROM Users u WHERE u.pk = @pk AND u.blockedId = @blocked AND u.t = @type`, {
             pk: request.viewer.id,
@@ -574,7 +575,7 @@ function unblockRoute(server: FastifyInstance<Server, IncomingMessage, ServerRes
         const userBlocks = await queryItems<UserBlock>({
             container: userContainer,
             query: userBlockQuery,
-            logger: request.log
+            logger: request.log,
         })
 
         for (const userBlock of userBlocks) {