diff --git a/services/identity/src/constants.rs b/services/identity/src/constants.rs
index 1a1f95084..21a3fa62f 100644
--- a/services/identity/src/constants.rs
+++ b/services/identity/src/constants.rs
@@ -1,360 +1,361 @@
 use tokio::time::Duration;
 
 // Secrets
 
 pub const SECRETS_DIRECTORY: &str = "secrets";
 pub const SECRETS_SETUP_FILE: &str = "server_setup.txt";
 
 // DynamoDB
 
 // User table information, supporting opaque_ke 2.0 and X3DH information
 
 // Users can sign in either through username+password or Eth wallet.
 //
 // This structure should be aligned with the messages defined in
 // shared/protos/identity_unauthenticated.proto
 //
 // Structure for a user should be:
 // {
 //   userID: String,
 //   opaqueRegistrationData: Option<String>,
 //   username: Option<String>,
 //   walletAddress: Option<String>,
 //   devices: HashMap<String, Device>
 // }
 //
 // A device is defined as:
 // {
 //     deviceType: String, # client or keyserver
 //     keyPayload: String,
 //     keyPayloadSignature: String,
 //     identityPreKey: String,
 //     identityPreKeySignature: String,
 //     identityOneTimeKeys: Vec<String>,
 //     notifPreKey: String,
 //     notifPreKeySignature: String,
 //     notifOneTimeKeys: Vec<String>,
 //     socialProof: Option<String>
 //   }
 // }
 //
 // Additional context:
 // "devices" uses the signing public identity key of the device as a key for the devices map
 // "keyPayload" is a JSON encoded string containing identity and notif keys (both signature and verification)
 // if "deviceType" == "keyserver", then the device will not have any notif key information
 
 pub const USERS_TABLE: &str = "identity-users";
 pub const USERS_TABLE_PARTITION_KEY: &str = "userID";
 pub const USERS_TABLE_REGISTRATION_ATTRIBUTE: &str = "opaqueRegistrationData";
 pub const USERS_TABLE_USERNAME_ATTRIBUTE: &str = "username";
 pub const USERS_TABLE_DEVICES_MAP_DEVICE_TYPE_ATTRIBUTE_NAME: &str =
   "deviceType";
 pub const USERS_TABLE_WALLET_ADDRESS_ATTRIBUTE: &str = "walletAddress";
 pub const USERS_TABLE_SOCIAL_PROOF_ATTRIBUTE_NAME: &str = "socialProof";
 pub const USERS_TABLE_DEVICELIST_TIMESTAMP_ATTRIBUTE_NAME: &str =
   "deviceListTimestamp";
 pub const USERS_TABLE_FARCASTER_ID_ATTRIBUTE_NAME: &str = "farcasterID";
 pub const USERS_TABLE_USERNAME_LOWER_ATTRIBUTE_NAME: &str = "usernameLower";
 pub const USERS_TABLE_USERNAME_INDEX: &str = "username-index";
 pub const USERS_TABLE_WALLET_ADDRESS_INDEX: &str = "walletAddress-index";
 pub const USERS_TABLE_FARCASTER_ID_INDEX: &str = "farcasterID-index";
 pub const USERS_TABLE_USERNAME_LOWER_INDEX: &str = "usernameLower-index";
 
 pub mod token_table {
   pub const NAME: &str = "identity-tokens";
   pub const PARTITION_KEY: &str = "userID";
   pub const SORT_KEY: &str = "signingPublicKey";
   pub const ATTR_CREATED: &str = "created";
   pub const ATTR_AUTH_TYPE: &str = "authType";
   pub const ATTR_VALID: &str = "valid";
   pub const ATTR_TOKEN: &str = "token";
 }
 
 pub const NONCE_TABLE: &str = "identity-nonces";
 pub const NONCE_TABLE_PARTITION_KEY: &str = "nonce";
 pub const NONCE_TABLE_CREATED_ATTRIBUTE: &str = "created";
 pub const NONCE_TABLE_EXPIRATION_TIME_ATTRIBUTE: &str = "expirationTime";
 pub const NONCE_TABLE_EXPIRATION_TIME_UNIX_ATTRIBUTE: &str =
   "expirationTimeUnix";
 
 pub const WORKFLOWS_IN_PROGRESS_TABLE: &str = "identity-workflows-in-progress";
 pub const WORKFLOWS_IN_PROGRESS_PARTITION_KEY: &str = "id";
 pub const WORKFLOWS_IN_PROGRESS_WORKFLOW_ATTRIBUTE: &str = "workflow";
 pub const WORKFLOWS_IN_PROGRESS_TABLE_EXPIRATION_TIME_UNIX_ATTRIBUTE: &str =
   "expirationTimeUnix";
 
 // Usernames reserved because they exist in Ashoat's keyserver already
 pub const RESERVED_USERNAMES_TABLE: &str = "identity-reserved-usernames";
 pub const RESERVED_USERNAMES_TABLE_PARTITION_KEY: &str = "username";
 pub const RESERVED_USERNAMES_TABLE_USER_ID_ATTRIBUTE: &str = "userID";
 pub const RESERVED_USERNAMES_TABLE_USERNAME_LOWER_ATTRIBUTE: &str =
   "usernameLower";
 pub const RESERVED_USERNAMES_TABLE_USERNAME_LOWER_INDEX: &str =
   "usernameLower-index";
 pub const RESERVED_USERNAMES_TABLE_USER_ID_INDEX: &str = "userID-index";
 
 // Users table social proof attribute
 pub const SOCIAL_PROOF_MESSAGE_ATTRIBUTE: &str = "siweMessage";
 pub const SOCIAL_PROOF_SIGNATURE_ATTRIBUTE: &str = "siweSignature";
 
 pub mod devices_table {
   /// table name
   pub const NAME: &str = "identity-devices";
   pub const TIMESTAMP_INDEX_NAME: &str = "deviceList-timestamp-index";
   pub const DEVICE_ID_INDEX_NAME: &str = "deviceID-index";
 
   /// partition key
   pub const ATTR_USER_ID: &str = "userID";
   /// sort key
   pub const ATTR_ITEM_ID: &str = "itemID";
 
   // itemID prefixes (one shouldn't be a prefix of the other)
   pub const DEVICE_ITEM_KEY_PREFIX: &str = "device-";
   pub const DEVICE_LIST_KEY_PREFIX: &str = "devicelist-";
 
   // device-specific attrs
   pub const ATTR_DEVICE_KEY_INFO: &str = "deviceKeyInfo";
   pub const ATTR_CONTENT_PREKEY: &str = "contentPreKey";
   pub const ATTR_NOTIF_PREKEY: &str = "notifPreKey";
   pub const ATTR_PLATFORM_DETAILS: &str = "platformDetails";
   pub const ATTR_LOGIN_TIME: &str = "loginTime";
 
   // IdentityKeyInfo constants
   pub const ATTR_KEY_PAYLOAD: &str = "keyPayload";
   pub const ATTR_KEY_PAYLOAD_SIGNATURE: &str = "keyPayloadSignature";
 
   // PreKey constants
   pub const ATTR_PREKEY: &str = "preKey";
   pub const ATTR_PREKEY_SIGNATURE: &str = "preKeySignature";
 
   // PlatformDetails constants
   pub const ATTR_DEVICE_TYPE: &str = "deviceType";
   pub const ATTR_CODE_VERSION: &str = "codeVersion";
   pub const ATTR_STATE_VERSION: &str = "stateVersion";
   pub const ATTR_MAJOR_DESKTOP_VERSION: &str = "majorDesktopVersion";
 
   // device-list-specific attrs
   pub const ATTR_TIMESTAMP: &str = "timestamp";
   pub const ATTR_DEVICE_IDS: &str = "deviceIDs";
   pub const ATTR_CURRENT_SIGNATURE: &str = "curPrimarySignature";
   pub const ATTR_LAST_SIGNATURE: &str = "lastPrimarySignature";
 
   // one-time key constants
   pub const ATTR_CONTENT_OTK_COUNT: &str = "contentOTKCount";
   pub const ATTR_NOTIF_OTK_COUNT: &str = "notifOTKCount";
 
   // deprecated attributes
   pub const OLD_ATTR_DEVICE_TYPE: &str = "deviceType";
   pub const OLD_ATTR_CODE_VERSION: &str = "codeVersion";
 }
 
 // One time keys table, which need to exist in their own table to ensure
 // atomicity of additions and removals
 pub mod one_time_keys_table {
   pub const NAME: &str = "identity-one-time-keys";
   pub const PARTITION_KEY: &str = "userID#deviceID#olmAccount";
   pub const SORT_KEY: &str = "timestamp#keyNumber";
   pub const ATTR_ONE_TIME_KEY: &str = "oneTimeKey";
 }
 
 // Tokio
 
 pub const MPSC_CHANNEL_BUFFER_CAPACITY: usize = 1;
 pub const IDENTITY_SERVICE_SOCKET_ADDR: &str = "[::]:50054";
 pub const IDENTITY_SERVICE_WEBSOCKET_ADDR: &str = "[::]:51004";
 
 pub const SOCKET_HEARTBEAT_TIMEOUT: Duration = Duration::from_secs(3);
 
 // Token
 
 pub const ACCESS_TOKEN_LENGTH: usize = 512;
 
 // Temporary config
 
 pub const AUTH_TOKEN: &str = "COMM_IDENTITY_SERVICE_AUTH_TOKEN";
 pub const KEYSERVER_PUBLIC_KEY: &str = "KEYSERVER_PUBLIC_KEY";
 
 // Nonce
 
 pub const NONCE_LENGTH: usize = 17;
 pub const NONCE_TTL_DURATION: Duration = Duration::from_secs(900); // seconds
 
 // Device list
 
 pub const DEVICE_LIST_TIMESTAMP_VALID_FOR: Duration = Duration::from_secs(300);
 
 // Workflows in progress
 
 pub const WORKFLOWS_IN_PROGRESS_TTL_DURATION: Duration =
   Duration::from_secs(120);
 
 // LocalStack
 
 pub const LOCALSTACK_ENDPOINT: &str = "LOCALSTACK_ENDPOINT";
 
 // OPAQUE Server Setup
 
 pub const OPAQUE_SERVER_SETUP: &str = "OPAQUE_SERVER_SETUP";
 
 // Identity Search
 
 pub const OPENSEARCH_ENDPOINT: &str = "OPENSEARCH_ENDPOINT";
 pub const DEFAULT_OPENSEARCH_ENDPOINT: &str =
   "identity-search-domain.us-east-2.opensearch.localhost.localstack.cloud:4566";
 pub const IDENTITY_SEARCH_INDEX: &str = "users";
 pub const IDENTITY_SEARCH_RESULT_SIZE: u32 = 20;
 
 // Log Error Types
 
 pub mod error_types {
   pub const GENERIC_DB_LOG: &str = "DB Error";
   pub const OTK_DB_LOG: &str = "One-time Key DB Error";
   pub const DEVICE_LIST_DB_LOG: &str = "Device List DB Error";
   pub const TOKEN_DB_LOG: &str = "Token DB Error";
   pub const FARCASTER_DB_LOG: &str = "Farcaster DB Error";
 
   pub const SYNC_LOG: &str = "Sync Error";
   pub const SEARCH_LOG: &str = "Search Error";
   pub const SIWE_LOG: &str = "SIWE Error";
   pub const GRPC_SERVICES_LOG: &str = "gRPC Services Error";
   pub const TUNNELBROKER_LOG: &str = "Tunnelbroker Error";
   pub const HTTP_LOG: &str = "HTTP Error";
 }
 
 // Tonic Status Messages
 pub mod tonic_status_messages {
   pub const UNEXPECTED_MESSAGE_DATA: &str = "unexpected_message_data";
   pub const SIGNATURE_INVALID: &str = "signature_invalid";
   pub const MALFORMED_KEY: &str = "malformed_key";
   pub const VERIFICATION_FAILED: &str = "verification_failed";
   pub const MALFORMED_PAYLOAD: &str = "malformed_payload";
   pub const INVALID_DEVICE_LIST_PAYLOAD: &str = "invalid_device_list_payload";
   pub const USERNAME_ALREADY_EXISTS: &str = "username_already_exists";
   pub const USERNAME_RESERVED: &str = "username_reserved";
   pub const WALLET_ADDRESS_TAKEN: &str = "wallet_address_taken";
   pub const WALLET_ADDRESS_NOT_RESERVED: &str = "wallet_address_not_reserved";
   pub const WALLET_ADDRESS_MISMATCH: &str = "wallet_address_mismatch";
   pub const DEVICE_ID_ALREADY_EXISTS: &str = "device_id_already_exists";
   pub const USER_NOT_FOUND: &str = "user_not_found";
   pub const INVALID_NONCE: &str = "invalid_nonce";
   pub const NONCE_EXPIRED: &str = "nonce_expired";
   pub const FID_TAKEN: &str = "fid_taken";
   pub const CANNOT_LINK_FID: &str = "cannot_link_fid";
   pub const INVALID_PLATFORM_METADATA: &str = "invalid_platform_metadata";
   pub const MISSING_CREDENTIALS: &str = "missing_credentials";
   pub const BAD_CREDENTIALS: &str = "bad_credentials";
   pub const SESSION_NOT_FOUND: &str = "session_not_found";
   pub const INVALID_TIMESTAMP: &str = "invalid_timestamp";
   pub const INVALID_USERNAME: &str = "invalid_username";
   pub const USERNAME_NOT_RESERVED: &str = "username_not_reserved";
   pub const NEED_KEYSERVER_MESSAGE_TO_CLAIM_USERNAME: &str =
     "need_keyserver_message_to_claim_username";
   pub const UNEXPECTED_INITIAL_DEVICE_LIST: &str =
     "unexpected_initial_device_list";
   pub const DEVICE_LIST_ERROR: &str = "device_list_error";
   pub const DEVICE_NOT_IN_DEVICE_LIST: &str = "device_not_in_device_list";
   pub const NO_IDENTIFIER_PROVIDED: &str = "no_identifier_provided";
   pub const USER_ALREADY_HAS_KEYSERVER: &str = "user_already_has_keyserver";
   pub const RETRY: &str = "retry";
   pub const INVALID_DEVICE_LIST_UPDATE: &str = "invalid_device_list_update";
   pub const INVALID_DEVICE_LIST_SIGNATURE: &str =
     "invalid_device_list_signature";
   pub const UNEXPECTED_ERROR: &str = "unexpected_error";
   pub const NO_DEVICE_LIST: &str = "no_device_list";
   pub const USER_ID_MISSING: &str = "user_id_missing";
   pub const DEVICE_ID_MISSING: &str = "device_id_missing";
   pub const MISSING_CONTENT_KEYS: &str = "missing_content_keys";
   pub const MISSING_NOTIF_KEYS: &str = "missing_notif_keys";
   pub const KEYSERVER_NOT_FOUND: &str = "keyserver_not_found";
   pub const PASSWORD_USER: &str = "password_user";
   pub const WALLET_USER: &str = "wallet_user";
   pub const INVALID_MESSAGE: &str = "invalid_message";
   pub const INVALID_MESSAGE_FORMAT: &str = "invalid_message_format";
   pub const MISSING_PLATFORM_OR_CODE_VERSION_METADATA: &str =
     "missing_platform_or_code_version_metadata";
   pub const MISSING_KEY: &str = "missing_key";
   pub const MESSAGE_NOT_AUTHENTICATED: &str = "message_not_authenticated";
   pub const RETRY_FROM_NATIVE: &str = "retry_from_native";
+  pub const USER_IS_NOT_STAFF: &str = "user_is_not_staff";
 }
 
 // Tunnelbroker
 pub const TUNNELBROKER_GRPC_ENDPOINT: &str = "TUNNELBROKER_GRPC_ENDPOINT";
 pub const DEFAULT_TUNNELBROKER_ENDPOINT: &str = "http://localhost:50051";
 
 // Backup
 pub const BACKUP_SERVICE_URL: &str = "BACKUP_SERVICE_URL";
 pub const DEFAULT_BACKUP_SERVICE_URL: &str = "http://localhost:50052";
 
 // X3DH key management
 
 // Threshold for requesting more one_time keys
 pub const ONE_TIME_KEY_MINIMUM_THRESHOLD: usize = 5;
 // Number of keys to be refreshed when below the threshold
 pub const ONE_TIME_KEY_REFRESH_NUMBER: u32 = 5;
 
 // Minimum supported code versions
 
 pub const MIN_SUPPORTED_NATIVE_VERSION: u64 = 270;
 
 // Request metadata
 
 pub mod request_metadata {
   pub const CODE_VERSION: &str = "code_version";
   pub const STATE_VERSION: &str = "state_version";
   pub const MAJOR_DESKTOP_VERSION: &str = "major_desktop_version";
   pub const DEVICE_TYPE: &str = "device_type";
   pub const USER_ID: &str = "user_id";
   pub const DEVICE_ID: &str = "device_id";
   pub const ACCESS_TOKEN: &str = "access_token";
 }
 
 // CORS
 
 pub mod cors {
   use std::time::Duration;
 
   pub const DEFAULT_MAX_AGE: Duration = Duration::from_secs(24 * 60 * 60);
   pub const DEFAULT_EXPOSED_HEADERS: [&str; 3] =
     ["grpc-status", "grpc-message", "grpc-status-details-bin"];
   pub const DEFAULT_ALLOW_HEADERS: [&str; 12] = [
     "x-grpc-web",
     "content-type",
     "x-user-agent",
     "grpc-timeout",
     "authorization",
     super::request_metadata::CODE_VERSION,
     super::request_metadata::STATE_VERSION,
     super::request_metadata::MAJOR_DESKTOP_VERSION,
     super::request_metadata::DEVICE_TYPE,
     super::request_metadata::USER_ID,
     super::request_metadata::DEVICE_ID,
     super::request_metadata::ACCESS_TOKEN,
   ];
   pub const ALLOW_ORIGIN_LIST: &str = "ALLOW_ORIGIN_LIST";
   pub const PROD_ORIGIN_HOST_STR: &str = "web.comm.app";
 }
 
 // Tracing
 
 pub const COMM_SERVICES_USE_JSON_LOGS: &str = "COMM_SERVICES_USE_JSON_LOGS";
 pub const REDACT_SENSITIVE_DATA: &str = "REDACT_SENSITIVE_DATA";
 
 // Regex
 
 pub const VALID_USERNAME_REGEX_STRING: &str =
   r"^[a-zA-Z0-9][a-zA-Z0-9-_]{0,190}$";
 
 // Retry
 
 // TODO: Replace this with `ExponentialBackoffConfig` from `comm-lib`
 pub mod retry {
   pub const MAX_ATTEMPTS: usize = 8;
 
   pub const CONDITIONAL_CHECK_FAILED: &str = "ConditionalCheckFailed";
   pub const TRANSACTION_CONFLICT: &str = "TransactionConflict";
 }
 
 // One-time keys
 pub const ONE_TIME_KEY_UPLOAD_LIMIT_PER_ACCOUNT: usize = 24;
 pub const ONE_TIME_KEY_SIZE: usize = 43; // as defined in olm
 pub const MAX_ONE_TIME_KEYS: usize = 100; // as defined in olm
diff --git a/services/identity/src/grpc_services/authenticated.rs b/services/identity/src/grpc_services/authenticated.rs
index b83cd37a3..42a9f8d8a 100644
--- a/services/identity/src/grpc_services/authenticated.rs
+++ b/services/identity/src/grpc_services/authenticated.rs
@@ -1,973 +1,990 @@
 use std::collections::{HashMap, HashSet};
 
 use crate::config::CONFIG;
 use crate::database::{DeviceListUpdate, PlatformDetails};
 use crate::device_list::validation::DeviceListValidator;
 use crate::device_list::SignedDeviceList;
 use crate::error::consume_error;
 use crate::log::redact_sensitive_data;
 use crate::{
   client_service::{handle_db_error, WorkflowInProgress},
   constants::{error_types, request_metadata, tonic_status_messages},
   database::DatabaseClient,
   grpc_services::shared::{get_platform_metadata, get_value},
 };
 use chrono::DateTime;
 use comm_lib::auth::AuthService;
 use comm_opaque2::grpc::protocol_error_to_grpc_status;
 use tonic::{Request, Response, Status};
 use tracing::{debug, error, trace};
 
 use super::protos::auth::{
   identity_client_service_server::IdentityClientService,
   DeletePasswordUserFinishRequest, DeletePasswordUserStartRequest,
   DeletePasswordUserStartResponse, GetDeviceListRequest, GetDeviceListResponse,
   InboundKeyInfo, InboundKeysForUserRequest, InboundKeysForUserResponse,
   KeyserverKeysResponse, LinkFarcasterAccountRequest, OutboundKeyInfo,
   OutboundKeysForUserRequest, OutboundKeysForUserResponse,
   PeersDeviceListsRequest, PeersDeviceListsResponse,
   PrimaryDeviceLogoutRequest, PrivilegedDeleteUsersRequest,
   RefreshUserPrekeysRequest, UpdateDeviceListRequest,
   UpdateUserPasswordFinishRequest, UpdateUserPasswordStartRequest,
   UpdateUserPasswordStartResponse, UploadOneTimeKeysRequest,
   UserDevicesPlatformDetails, UserIdentitiesRequest, UserIdentitiesResponse,
 };
 use super::protos::unauth::Empty;
 
 #[derive(derive_more::Constructor)]
 pub struct AuthenticatedService {
   db_client: DatabaseClient,
   comm_auth_service: AuthService,
 }
 
 fn get_auth_info(req: &Request<()>) -> Option<(String, String, String)> {
   trace!("Retrieving auth info for request: {:?}", req);
 
   let user_id = get_value(req, request_metadata::USER_ID)?;
   let device_id = get_value(req, request_metadata::DEVICE_ID)?;
   let access_token = get_value(req, request_metadata::ACCESS_TOKEN)?;
 
   Some((user_id, device_id, access_token))
 }
 
 pub fn auth_interceptor(
   req: Request<()>,
   db_client: &DatabaseClient,
 ) -> Result<Request<()>, Status> {
   trace!("Intercepting request to check auth info: {:?}", req);
 
   let (user_id, device_id, access_token) =
     get_auth_info(&req).ok_or_else(|| {
       Status::unauthenticated(tonic_status_messages::MISSING_CREDENTIALS)
     })?;
 
   let handle = tokio::runtime::Handle::current();
   let new_db_client = db_client.clone();
 
   // This function cannot be `async`, yet must call the async db call
   // Force tokio to resolve future in current thread without an explicit .await
   let valid_token = tokio::task::block_in_place(move || {
     handle.block_on(new_db_client.verify_access_token(
       user_id,
       device_id,
       access_token,
     ))
   })?;
 
   if !valid_token {
     return Err(Status::aborted(tonic_status_messages::BAD_CREDENTIALS));
   }
 
   Ok(req)
 }
 
 pub fn get_user_and_device_id<T>(
   request: &Request<T>,
 ) -> Result<(String, String), Status> {
   let user_id =
     get_value(request, request_metadata::USER_ID).ok_or_else(|| {
       Status::unauthenticated(tonic_status_messages::USER_ID_MISSING)
     })?;
   let device_id =
     get_value(request, request_metadata::DEVICE_ID).ok_or_else(|| {
       Status::unauthenticated(tonic_status_messages::DEVICE_ID_MISSING)
     })?;
 
   Ok((user_id, device_id))
 }
 
 fn spawn_delete_tunnelbroker_data_task(device_ids: Vec<String>) {
   tokio::spawn(async move {
     debug!(
       "Attempting to delete Tunnelbroker data for devices: {:?}",
       device_ids.as_slice()
     );
     let result = crate::tunnelbroker::delete_devices_data(&device_ids).await;
     consume_error(result);
   });
 }
 
 #[tonic::async_trait]
 impl IdentityClientService for AuthenticatedService {
   #[tracing::instrument(skip_all)]
   async fn refresh_user_prekeys(
     &self,
     request: Request<RefreshUserPrekeysRequest>,
   ) -> Result<Response<Empty>, Status> {
     let (user_id, device_id) = get_user_and_device_id(&request)?;
     let message = request.into_inner();
 
     debug!("Refreshing prekeys for user: {}", user_id);
 
     let content_key = message.new_content_prekey.ok_or_else(|| {
       Status::invalid_argument(tonic_status_messages::MISSING_CONTENT_KEYS)
     })?;
     let notif_key = message.new_notif_prekey.ok_or_else(|| {
       Status::invalid_argument(tonic_status_messages::MISSING_NOTIF_KEYS)
     })?;
 
     self
       .db_client
       .update_device_prekeys(
         user_id,
         device_id,
         content_key.into(),
         notif_key.into(),
       )
       .await?;
 
     let response = Response::new(Empty {});
     Ok(response)
   }
 
   #[tracing::instrument(skip_all)]
   async fn get_outbound_keys_for_user(
     &self,
     request: tonic::Request<OutboundKeysForUserRequest>,
   ) -> Result<tonic::Response<OutboundKeysForUserResponse>, tonic::Status> {
     let message = request.into_inner();
     let user_id = &message.user_id;
 
     let devices_map = self
       .db_client
       .get_keys_for_user(user_id, true)
       .await?
       .ok_or_else(|| {
         tonic::Status::not_found(tonic_status_messages::USER_NOT_FOUND)
       })?;
 
     let transformed_devices = devices_map
       .into_iter()
       .map(|(key, device_info)| (key, OutboundKeyInfo::from(device_info)))
       .collect::<HashMap<_, _>>();
 
     Ok(tonic::Response::new(OutboundKeysForUserResponse {
       devices: transformed_devices,
     }))
   }
 
   #[tracing::instrument(skip_all)]
   async fn get_inbound_keys_for_user(
     &self,
     request: tonic::Request<InboundKeysForUserRequest>,
   ) -> Result<tonic::Response<InboundKeysForUserResponse>, tonic::Status> {
     let message = request.into_inner();
     let user_id = &message.user_id;
 
     let devices_map = self
       .db_client
       .get_keys_for_user(user_id, false)
       .await
       .map_err(handle_db_error)?
       .ok_or_else(|| {
         tonic::Status::not_found(tonic_status_messages::USER_NOT_FOUND)
       })?;
 
     let transformed_devices = devices_map
       .into_iter()
       .map(|(key, device_info)| (key, InboundKeyInfo::from(device_info)))
       .collect::<HashMap<_, _>>();
 
     let identifier = self
       .db_client
       .get_user_identity(user_id)
       .await?
       .ok_or_else(|| {
         tonic::Status::not_found(tonic_status_messages::USER_NOT_FOUND)
       })?;
 
     Ok(tonic::Response::new(InboundKeysForUserResponse {
       devices: transformed_devices,
       identity: Some(identifier.into()),
     }))
   }
 
   #[tracing::instrument(skip_all)]
   async fn get_keyserver_keys(
     &self,
     request: Request<OutboundKeysForUserRequest>,
   ) -> Result<Response<KeyserverKeysResponse>, Status> {
     let message = request.into_inner();
 
     let identifier = self
       .db_client
       .get_user_identity(&message.user_id)
       .await?
       .ok_or_else(|| {
         tonic::Status::not_found(tonic_status_messages::USER_NOT_FOUND)
       })?;
 
     let Some(keyserver_info) = self
       .db_client
       .get_keyserver_keys_for_user(&message.user_id)
       .await?
     else {
       return Err(Status::not_found(
         tonic_status_messages::KEYSERVER_NOT_FOUND,
       ));
     };
 
     let primary_device_data = self
       .db_client
       .get_primary_device_data(&message.user_id)
       .await?;
     let primary_device_keys = primary_device_data.device_key_info;
 
     let response = Response::new(KeyserverKeysResponse {
       keyserver_info: Some(keyserver_info.into()),
       identity: Some(identifier.into()),
       primary_device_identity_info: Some(primary_device_keys.into()),
     });
 
     return Ok(response);
   }
 
   #[tracing::instrument(skip_all)]
   async fn upload_one_time_keys(
     &self,
     request: tonic::Request<UploadOneTimeKeysRequest>,
   ) -> Result<tonic::Response<Empty>, tonic::Status> {
     let (user_id, device_id) = get_user_and_device_id(&request)?;
     let message = request.into_inner();
 
     debug!("Attempting to update one time keys for user: {}", user_id);
     self
       .db_client
       .append_one_time_prekeys(
         &user_id,
         &device_id,
         &message.content_one_time_prekeys,
         &message.notif_one_time_prekeys,
       )
       .await?;
 
     Ok(tonic::Response::new(Empty {}))
   }
 
   #[tracing::instrument(skip_all)]
   async fn update_user_password_start(
     &self,
     request: tonic::Request<UpdateUserPasswordStartRequest>,
   ) -> Result<tonic::Response<UpdateUserPasswordStartResponse>, tonic::Status>
   {
     let (user_id, _) = get_user_and_device_id(&request)?;
 
     let Some((username, password_file)) = self
       .db_client
       .get_username_and_password_file(&user_id)
       .await?
     else {
       return Err(tonic::Status::permission_denied(
         tonic_status_messages::WALLET_USER,
       ));
     };
 
     let message = request.into_inner();
 
     let mut server_login = comm_opaque2::server::Login::new();
     let login_response = server_login
       .start(
         &CONFIG.server_setup,
         &password_file,
         &message.opaque_login_request,
         username.as_bytes(),
       )
       .map_err(protocol_error_to_grpc_status)?;
 
     let server_registration = comm_opaque2::server::Registration::new();
     let registration_response = server_registration
       .start(
         &CONFIG.server_setup,
         &message.opaque_registration_request,
         username.as_bytes(),
       )
       .map_err(protocol_error_to_grpc_status)?;
 
     let update_state = UpdatePasswordInfo::new(server_login);
     let session_id = self
       .db_client
       .insert_workflow(WorkflowInProgress::Update(Box::new(update_state)))
       .await?;
 
     let response = UpdateUserPasswordStartResponse {
       session_id,
       opaque_registration_response: registration_response,
       opaque_login_response: login_response,
     };
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn update_user_password_finish(
     &self,
     request: tonic::Request<UpdateUserPasswordFinishRequest>,
   ) -> Result<tonic::Response<Empty>, tonic::Status> {
     let (user_id, _) = get_user_and_device_id(&request)?;
 
     let message = request.into_inner();
 
     let Some(WorkflowInProgress::Update(state)) =
       self.db_client.get_workflow(message.session_id).await?
     else {
       return Err(tonic::Status::not_found(
         tonic_status_messages::SESSION_NOT_FOUND,
       ));
     };
 
     let mut server_login = state.opaque_server_login;
     server_login
       .finish(&message.opaque_login_upload)
       .map_err(protocol_error_to_grpc_status)?;
 
     let server_registration = comm_opaque2::server::Registration::new();
     let password_file = server_registration
       .finish(&message.opaque_registration_upload)
       .map_err(protocol_error_to_grpc_status)?;
 
     self
       .db_client
       .update_user_password(user_id, password_file)
       .await?;
 
     let response = Empty {};
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn log_out_user(
     &self,
     request: tonic::Request<Empty>,
   ) -> Result<tonic::Response<Empty>, tonic::Status> {
     let (user_id, device_id) = get_user_and_device_id(&request)?;
 
     self.db_client.remove_device(&user_id, &device_id).await?;
 
     self
       .db_client
       .delete_otks_table_rows_for_user_device(&user_id, &device_id)
       .await?;
 
     self
       .db_client
       .delete_access_token_data(&user_id, &device_id)
       .await?;
 
     let device_list = self
       .db_client
       .get_current_device_list(&user_id)
       .await
       .map_err(|err| {
         error!(
           user_id = redact_sensitive_data(&user_id),
           errorType = error_types::GRPC_SERVICES_LOG,
           "Failed fetching device list: {err}"
         );
         handle_db_error(err)
       })?;
 
     let Some(device_list) = device_list else {
       error!(
         user_id = redact_sensitive_data(&user_id),
         errorType = error_types::GRPC_SERVICES_LOG,
         "User has no device list!"
       );
       return Err(Status::failed_precondition("no device list"));
     };
 
     tokio::spawn(async move {
       debug!(
         "Sending device list updates to {:?}",
         device_list.device_ids
       );
       let device_ids: Vec<&str> =
         device_list.device_ids.iter().map(AsRef::as_ref).collect();
       let result =
         crate::tunnelbroker::send_device_list_update(&device_ids).await;
       consume_error(result);
     });
 
     spawn_delete_tunnelbroker_data_task([device_id].into());
 
     let response = Empty {};
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn log_out_primary_device(
     &self,
     request: tonic::Request<PrimaryDeviceLogoutRequest>,
   ) -> Result<tonic::Response<Empty>, tonic::Status> {
     let (user_id, device_id) = get_user_and_device_id(&request)?;
     let message = request.into_inner();
 
     debug!(
       "Primary device logout request for user_id={}, device_id={}",
       user_id, device_id
     );
     self
       .verify_device_on_device_list(
         &user_id,
         &device_id,
         DeviceListItemKind::Primary,
       )
       .await?;
 
     // Get and verify singleton device list
     let parsed_device_list: SignedDeviceList =
       message.signed_device_list.parse()?;
 
     let update_payload = DeviceListUpdate::try_from(parsed_device_list)?;
     crate::device_list::verify_singleton_device_list(
       &update_payload,
       &device_id,
       None,
     )?;
 
     self
       .db_client
       .apply_devicelist_update(
         &user_id,
         update_payload,
         // - We've already validated the list so no need to do it here.
         // - Need to pass the type because it cannot be inferred from None
         None::<DeviceListValidator>,
         // We don't want side effects - we'll take care of removing devices
         // on our own. (Side effect would skip the primary device).
         false,
       )
       .await?;
 
     debug!(user_id, "Attempting to delete user's access tokens");
     self.db_client.delete_all_tokens_for_user(&user_id).await?;
 
     // We must delete the one-time keys first because doing so requires device
     // IDs from the devices table
     debug!(user_id, "Attempting to delete user's one-time keys");
     self
       .db_client
       .delete_otks_table_rows_for_user(&user_id)
       .await?;
 
     debug!(user_id, "Attempting to delete user's devices");
     let device_ids = self
       .db_client
       .delete_devices_data_for_user(&user_id)
       .await?;
 
     spawn_delete_tunnelbroker_data_task(device_ids);
 
     let response = Empty {};
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn log_out_secondary_device(
     &self,
     request: tonic::Request<Empty>,
   ) -> Result<tonic::Response<Empty>, tonic::Status> {
     let (user_id, device_id) = get_user_and_device_id(&request)?;
 
     debug!(
       "Secondary device logout request for user_id={}, device_id={}",
       user_id, device_id
     );
     self
       .verify_device_on_device_list(
         &user_id,
         &device_id,
         DeviceListItemKind::Secondary,
       )
       .await?;
 
     self
       .db_client
       .delete_access_token_data(&user_id, &device_id)
       .await?;
 
     self
       .db_client
       .delete_otks_table_rows_for_user_device(&user_id, &device_id)
       .await?;
 
     spawn_delete_tunnelbroker_data_task([device_id].into());
 
     let response = Empty {};
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn delete_wallet_user(
     &self,
     request: tonic::Request<Empty>,
   ) -> Result<tonic::Response<Empty>, tonic::Status> {
     let (user_id, _) = get_user_and_device_id(&request)?;
 
     debug!("Attempting to delete wallet user: {}", user_id);
 
     let user_is_password_authenticated = self
       .db_client
       .user_is_password_authenticated(&user_id)
       .await?;
 
     if user_is_password_authenticated {
       return Err(tonic::Status::permission_denied(
         tonic_status_messages::PASSWORD_USER,
       ));
     }
 
     self.delete_tunnelbroker_and_backup_data(&user_id).await?;
 
     self.db_client.delete_user(user_id.clone()).await?;
 
     let response = Empty {};
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn delete_password_user_start(
     &self,
     request: tonic::Request<DeletePasswordUserStartRequest>,
   ) -> Result<tonic::Response<DeletePasswordUserStartResponse>, tonic::Status>
   {
     let (user_id, _) = get_user_and_device_id(&request)?;
     let message = request.into_inner();
 
     debug!("Attempting to start deleting password user: {}", user_id);
     let maybe_username_and_password_file = self
       .db_client
       .get_username_and_password_file(&user_id)
       .await?;
 
     let Some((username, password_file_bytes)) =
       maybe_username_and_password_file
     else {
       return Err(tonic::Status::not_found(
         tonic_status_messages::USER_NOT_FOUND,
       ));
     };
 
     let mut server_login = comm_opaque2::server::Login::new();
     let server_response = server_login
       .start(
         &CONFIG.server_setup,
         &password_file_bytes,
         &message.opaque_login_request,
         username.as_bytes(),
       )
       .map_err(protocol_error_to_grpc_status)?;
 
     let delete_state = DeletePasswordUserInfo::new(server_login);
 
     let session_id = self
       .db_client
       .insert_workflow(WorkflowInProgress::PasswordUserDeletion(Box::new(
         delete_state,
       )))
       .await?;
 
     let response = Response::new(DeletePasswordUserStartResponse {
       session_id,
       opaque_login_response: server_response,
     });
     Ok(response)
   }
 
   #[tracing::instrument(skip_all)]
   async fn delete_password_user_finish(
     &self,
     request: tonic::Request<DeletePasswordUserFinishRequest>,
   ) -> Result<tonic::Response<Empty>, tonic::Status> {
     let (user_id, _) = get_user_and_device_id(&request)?;
     let message = request.into_inner();
 
     debug!("Attempting to finish deleting password user: {}", user_id);
     let Some(WorkflowInProgress::PasswordUserDeletion(state)) =
       self.db_client.get_workflow(message.session_id).await?
     else {
       return Err(tonic::Status::not_found(
         tonic_status_messages::SESSION_NOT_FOUND,
       ));
     };
 
     let mut server_login = state.opaque_server_login;
     server_login
       .finish(&message.opaque_login_upload)
       .map_err(protocol_error_to_grpc_status)?;
 
     self.delete_tunnelbroker_and_backup_data(&user_id).await?;
 
     self.db_client.delete_user(user_id.clone()).await?;
 
     let response = Empty {};
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn privileged_delete_users(
     &self,
-    _request: tonic::Request<PrivilegedDeleteUsersRequest>,
+    request: tonic::Request<PrivilegedDeleteUsersRequest>,
   ) -> Result<tonic::Response<Empty>, tonic::Status> {
-    unimplemented!()
+    const STAFF_USER_IDS: [&str; 1] = ["256"];
+
+    let (user_id, _) = get_user_and_device_id(&request)?;
+    if !STAFF_USER_IDS.contains(&user_id.as_str()) {
+      return Err(Status::permission_denied(
+        tonic_status_messages::USER_IS_NOT_STAFF,
+      ));
+    }
+
+    for user_id_to_delete in request.into_inner().user_ids {
+      self
+        .delete_tunnelbroker_and_backup_data(&user_id_to_delete)
+        .await?;
+      self.db_client.delete_user(user_id_to_delete).await?;
+    }
+
+    let response = Empty {};
+    Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn get_device_list_for_user(
     &self,
     request: tonic::Request<GetDeviceListRequest>,
   ) -> Result<tonic::Response<GetDeviceListResponse>, tonic::Status> {
     let GetDeviceListRequest {
       user_id,
       since_timestamp,
     } = request.into_inner();
 
     let since = since_timestamp
       .map(|timestamp| {
         DateTime::from_timestamp_millis(timestamp).ok_or_else(|| {
           tonic::Status::invalid_argument(
             tonic_status_messages::INVALID_TIMESTAMP,
           )
         })
       })
       .transpose()?;
 
     let mut db_result = self
       .db_client
       .get_device_list_history(user_id, since)
       .await?;
 
     // these should be sorted already, but just in case
     db_result.sort_by_key(|list| list.timestamp);
 
     let device_list_updates: Vec<SignedDeviceList> = db_result
       .into_iter()
       .map(SignedDeviceList::try_from)
       .collect::<Result<Vec<_>, _>>()?;
 
     let stringified_updates = device_list_updates
       .iter()
       .map(SignedDeviceList::as_json_string)
       .collect::<Result<Vec<_>, _>>()?;
 
     Ok(Response::new(GetDeviceListResponse {
       device_list_updates: stringified_updates,
     }))
   }
 
   #[tracing::instrument(skip_all)]
   async fn get_device_lists_for_users(
     &self,
     request: tonic::Request<PeersDeviceListsRequest>,
   ) -> Result<tonic::Response<PeersDeviceListsResponse>, tonic::Status> {
     let PeersDeviceListsRequest { user_ids } = request.into_inner();
     let request_count = user_ids.len();
     let user_ids: HashSet<String> = user_ids.into_iter().collect();
     debug!(
       "Requesting device lists and platform details for {} users ({} unique)",
       request_count,
       user_ids.len()
     );
 
     // 1. Fetch device lists
     let device_lists =
       self.db_client.get_current_device_lists(user_ids).await?;
     trace!("Found device lists for {} users", device_lists.keys().len());
 
     // 2. Fetch platform details
     let flattened_user_device_ids: Vec<(String, String)> = device_lists
       .iter()
       .flat_map(|(user_id, device_list)| {
         device_list
           .device_ids
           .iter()
           .map(|device_id| (user_id.clone(), device_id.clone()))
           .collect::<Vec<_>>()
       })
       .collect();
 
     let platform_details = self
       .db_client
       .get_devices_platform_details(flattened_user_device_ids)
       .await?;
     trace!(
       "Found platform details for {} users",
       platform_details.keys().len()
     );
 
     // 3. Prepare output format
     let users_device_lists: HashMap<String, String> = device_lists
       .into_iter()
       .map(|(user_id, device_list_row)| {
         let signed_list = SignedDeviceList::try_from(device_list_row)?;
         let serialized_list = signed_list.as_json_string()?;
         Ok((user_id, serialized_list))
       })
       .collect::<Result<_, tonic::Status>>()?;
 
     let users_devices_platform_details = platform_details
       .into_iter()
       .map(|(user_id, devices_map)| {
         (user_id, UserDevicesPlatformDetails::from(devices_map))
       })
       .collect();
 
     let response = PeersDeviceListsResponse {
       users_device_lists,
       users_devices_platform_details,
     };
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn update_device_list(
     &self,
     request: tonic::Request<UpdateDeviceListRequest>,
   ) -> Result<Response<Empty>, tonic::Status> {
     let (user_id, device_id) = get_user_and_device_id(&request)?;
     self
       .verify_device_on_device_list(
         &user_id,
         &device_id,
         DeviceListItemKind::Primary,
       )
       .await?;
 
     let new_list = SignedDeviceList::try_from(request.into_inner())?;
     let update = DeviceListUpdate::try_from(new_list)?;
     let validator =
       crate::device_list::validation::update_device_list_rpc_validator;
     self
       .db_client
       .apply_devicelist_update(&user_id, update, Some(validator), true)
       .await?;
 
     Ok(Response::new(Empty {}))
   }
 
   #[tracing::instrument(skip_all)]
   async fn link_farcaster_account(
     &self,
     request: tonic::Request<LinkFarcasterAccountRequest>,
   ) -> Result<Response<Empty>, tonic::Status> {
     let (user_id, _) = get_user_and_device_id(&request)?;
     let message = request.into_inner();
 
     let mut get_farcaster_users_response = self
       .db_client
       .get_farcaster_users(vec![message.farcaster_id.clone()])
       .await?;
 
     if get_farcaster_users_response.len() > 1 {
       error!(
         errorType = error_types::GRPC_SERVICES_LOG,
         "multiple users associated with the same Farcaster ID"
       );
       return Err(Status::failed_precondition(
         tonic_status_messages::CANNOT_LINK_FID,
       ));
     }
 
     if let Some(u) = get_farcaster_users_response.pop() {
       if u.0.user_id == user_id {
         return Ok(Response::new(Empty {}));
       } else {
         return Err(Status::already_exists(tonic_status_messages::FID_TAKEN));
       }
     }
 
     self
       .db_client
       .add_farcaster_id(user_id, message.farcaster_id)
       .await?;
 
     let response = Empty {};
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn unlink_farcaster_account(
     &self,
     request: tonic::Request<Empty>,
   ) -> Result<Response<Empty>, tonic::Status> {
     let (user_id, _) = get_user_and_device_id(&request)?;
 
     self.db_client.remove_farcaster_id(user_id).await?;
 
     let response = Empty {};
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn find_user_identities(
     &self,
     request: tonic::Request<UserIdentitiesRequest>,
   ) -> Result<Response<UserIdentitiesResponse>, tonic::Status> {
     let message = request.into_inner();
     let user_ids: HashSet<String> = message.user_ids.into_iter().collect();
 
     let users_table_results = self
       .db_client
       .find_db_user_identities(user_ids.clone())
       .await?;
 
     // Look up only user IDs that haven't been found in users table
     let reserved_user_ids_to_query: Vec<String> = user_ids
       .into_iter()
       .filter(|user_id| !users_table_results.contains_key(user_id))
       .collect();
     let reserved_user_identifiers = self
       .db_client
       .query_reserved_usernames_by_user_ids(reserved_user_ids_to_query)
       .await?;
 
     let identities = users_table_results
       .into_iter()
       .map(|(user_id, identifier)| (user_id, identifier.into()))
       .collect();
 
     let response = UserIdentitiesResponse {
       identities,
       reserved_user_identifiers,
     };
     return Ok(Response::new(response));
   }
 
   #[tracing::instrument(skip_all)]
   async fn sync_platform_details(
     &self,
     request: tonic::Request<Empty>,
   ) -> Result<Response<Empty>, tonic::Status> {
     let (user_id, device_id) = get_user_and_device_id(&request)?;
     let platform_metadata = get_platform_metadata(&request)?;
     let platform_details = PlatformDetails::new(platform_metadata, None)
       .map_err(|_| {
         Status::invalid_argument(
           tonic_status_messages::INVALID_PLATFORM_METADATA,
         )
       })?;
 
     self
       .db_client
       .update_device_platform_details(user_id, device_id, platform_details)
       .await?;
 
     Ok(Response::new(Empty {}))
   }
 }
 
 #[allow(dead_code)]
 enum DeviceListItemKind {
   Any,
   Primary,
   Secondary,
 }
 
 impl AuthenticatedService {
   async fn verify_device_on_device_list(
     &self,
     user_id: &String,
     device_id: &String,
     device_kind: DeviceListItemKind,
   ) -> Result<(), tonic::Status> {
     let device_list = self
       .db_client
       .get_current_device_list(user_id)
       .await
       .map_err(|err| {
         error!(
           user_id = redact_sensitive_data(user_id),
           errorType = error_types::GRPC_SERVICES_LOG,
           "Failed fetching device list: {err}"
         );
         handle_db_error(err)
       })?;
 
     let Some(device_list) = device_list else {
       error!(
         user_id = redact_sensitive_data(user_id),
         errorType = error_types::GRPC_SERVICES_LOG,
         "User has no device list!"
       );
       return Err(Status::failed_precondition(
         tonic_status_messages::NO_DEVICE_LIST,
       ));
     };
 
     use DeviceListItemKind as DeviceKind;
     let device_on_list = match device_kind {
       DeviceKind::Any => device_list.has_device(device_id),
       DeviceKind::Primary => device_list.is_primary_device(device_id),
       DeviceKind::Secondary => device_list.has_secondary_device(device_id),
     };
 
     if !device_on_list {
       debug!(
         "Device {} not in device list for user {}",
         device_id, user_id
       );
       return Err(Status::permission_denied(
         tonic_status_messages::DEVICE_NOT_IN_DEVICE_LIST,
       ));
     }
 
     Ok(())
   }
 
   async fn delete_tunnelbroker_and_backup_data(
     &self,
     user_id: &str,
   ) -> Result<(), Status> {
     debug!("Attempting to delete Backup data for user: {}", &user_id);
     let (device_list_result, delete_backup_result) = tokio::join!(
       self.db_client.get_current_device_list(user_id),
       crate::backup::delete_backup_user_data(user_id, &self.comm_auth_service)
     );
 
     let device_ids = device_list_result?
       .map(|list| list.device_ids)
       .unwrap_or_default();
 
     delete_backup_result?;
 
     debug!(
       "Attempting to delete Tunnelbroker data for devices: {:?}",
       device_ids
     );
     crate::tunnelbroker::delete_devices_data(&device_ids).await?;
 
     Ok(())
   }
 }
 
 #[derive(
   Clone, serde::Serialize, serde::Deserialize, derive_more::Constructor,
 )]
 pub struct DeletePasswordUserInfo {
   pub opaque_server_login: comm_opaque2::server::Login,
 }
 
 #[derive(
   Clone, serde::Serialize, serde::Deserialize, derive_more::Constructor,
 )]
 pub struct UpdatePasswordInfo {
   pub opaque_server_login: comm_opaque2::server::Login,
 }