diff --git a/native/utils/farcaster-utils.js b/native/utils/farcaster-utils.js
index 1363d7e4c..0798df2ef 100644
--- a/native/utils/farcaster-utils.js
+++ b/native/utils/farcaster-utils.js
@@ -1,41 +1,38 @@
 // @flow
 
 import * as React from 'react';
 
 import { getMessageForException } from 'lib/utils/errors.js';
 import { useLinkFID } from 'lib/utils/farcaster-utils.js';
 
 import {
   getFarcasterAccountAlreadyLinkedAlertDetails,
   unknownErrorAlertDetails,
 } from './alert-messages.js';
 import Alert from '../utils/alert.js';
 
 function useTryLinkFID(): (newFID: string) => Promise<void> {
   const linkFID = useLinkFID();
 
   return React.useCallback(
     async (newFID: string) => {
       try {
         await linkFID(newFID);
       } catch (e) {
-        if (
-          getMessageForException(e) ===
-          'farcaster ID already associated with different user'
-        ) {
+        if (getMessageForException(e) === 'fid_taken') {
           const { title, message } =
             getFarcasterAccountAlreadyLinkedAlertDetails();
           Alert.alert(title, message);
         } else {
           Alert.alert(
             unknownErrorAlertDetails.title,
             unknownErrorAlertDetails.message,
           );
         }
       }
     },
     [linkFID],
   );
 }
 
 export { useTryLinkFID };
diff --git a/services/identity/src/client_service.rs b/services/identity/src/client_service.rs
index 9045a5bcb..999cdb3b5 100644
--- a/services/identity/src/client_service.rs
+++ b/services/identity/src/client_service.rs
@@ -1,1223 +1,1227 @@
 // Standard library imports
 use std::str::FromStr;
 
 // External crate imports
 use comm_lib::aws::DynamoDBError;
 use comm_lib::shared::reserved_users::RESERVED_USERNAME_SET;
 use comm_opaque2::grpc::protocol_error_to_grpc_status;
 use rand::rngs::OsRng;
 use serde::{Deserialize, Serialize};
 use siwe::eip55;
 use tonic::Response;
 use tracing::{debug, error, info, warn};
 
 // Workspace crate imports
 use crate::config::CONFIG;
 use crate::constants::{error_types, tonic_status_messages};
 use crate::database::{
   DBDeviceTypeInt, DatabaseClient, DeviceType, KeyPayload
 };
 use crate::device_list::SignedDeviceList;
 use crate::error::{DeviceListError, Error as DBError};
 use crate::grpc_services::authenticated::DeletePasswordUserInfo;
 use crate::grpc_services::protos::unauth::{
   find_user_id_request, AddReservedUsernamesRequest, AuthResponse, Empty,
   ExistingDeviceLoginRequest, FindUserIdRequest, FindUserIdResponse,
   GenerateNonceResponse, OpaqueLoginFinishRequest, OpaqueLoginStartRequest,
   OpaqueLoginStartResponse, RegistrationFinishRequest, RegistrationStartRequest,
   RegistrationStartResponse, RemoveReservedUsernameRequest,
   ReservedRegistrationStartRequest, ReservedWalletRegistrationRequest,
   SecondaryDeviceKeysUploadRequest, VerifyUserAccessTokenRequest,
   VerifyUserAccessTokenResponse, WalletAuthRequest, GetFarcasterUsersRequest,
   GetFarcasterUsersResponse
 };
 use crate::grpc_services::shared::get_platform_metadata;
 use crate::grpc_utils::{
   DeviceKeyUploadActions, RegistrationActions, SignedNonce
 };
 use crate::nonce::generate_nonce_data;
 use crate::reserved_users::{
   validate_account_ownership_message_and_get_user_id,
   validate_add_reserved_usernames_message,
   validate_remove_reserved_username_message,
 };
 use crate::siwe::{
   is_valid_ethereum_address, parse_and_verify_siwe_message, SocialProof,
 };
 use crate::token::{AccessTokenData, AuthType};
 pub use crate::grpc_services::protos::unauth::identity_client_service_server::{
     IdentityClientService, IdentityClientServiceServer,
   };
 use crate::regex::is_valid_username;
 
 #[derive(Clone, Serialize, Deserialize)]
 pub enum WorkflowInProgress {
   Registration(Box<UserRegistrationInfo>),
   Login(Box<UserLoginInfo>),
   Update(UpdateState),
   PasswordUserDeletion(Box<DeletePasswordUserInfo>),
 }
 
 #[derive(Clone, Serialize, Deserialize)]
 pub struct UserRegistrationInfo {
   pub username: String,
   pub flattened_device_key_upload: FlattenedDeviceKeyUpload,
   pub user_id: Option<String>,
   pub farcaster_id: Option<String>,
   pub initial_device_list: Option<SignedDeviceList>,
 }
 
 #[derive(Clone, Serialize, Deserialize)]
 pub struct UserLoginInfo {
   pub user_id: String,
   pub username: String,
   pub flattened_device_key_upload: FlattenedDeviceKeyUpload,
   pub opaque_server_login: comm_opaque2::server::Login,
   pub device_to_remove: Option<String>,
 }
 
 #[derive(Clone, Serialize, Deserialize)]
 pub struct UpdateState {
   pub user_id: String,
 }
 
 #[derive(Clone, Serialize, Deserialize)]
 pub struct FlattenedDeviceKeyUpload {
   pub device_id_key: String,
   pub key_payload: String,
   pub key_payload_signature: String,
   pub content_prekey: String,
   pub content_prekey_signature: String,
   pub content_one_time_keys: Vec<String>,
   pub notif_prekey: String,
   pub notif_prekey_signature: String,
   pub notif_one_time_keys: Vec<String>,
   pub device_type: DeviceType,
 }
 
 #[derive(derive_more::Constructor)]
 pub struct ClientService {
   client: DatabaseClient,
 }
 
 #[tonic::async_trait]
 impl IdentityClientService for ClientService {
   #[tracing::instrument(skip_all)]
   async fn register_password_user_start(
     &self,
     request: tonic::Request<RegistrationStartRequest>,
   ) -> Result<tonic::Response<RegistrationStartResponse>, tonic::Status> {
     let message = request.into_inner();
     debug!("Received registration request for: {}", message.username);
 
     if !is_valid_username(&message.username)
       || is_valid_ethereum_address(&message.username)
     {
       return Err(tonic::Status::invalid_argument("invalid username"));
     }
 
     self.check_username_taken(&message.username).await?;
     let username_in_reserved_usernames_table = self
       .client
       .username_in_reserved_usernames_table(&message.username)
       .await
       .map_err(handle_db_error)?;
 
     if username_in_reserved_usernames_table {
       return Err(tonic::Status::already_exists(
         tonic_status_messages::USERNAME_ALREADY_EXISTS,
       ));
     }
 
     if RESERVED_USERNAME_SET.contains(&message.username) {
       return Err(tonic::Status::invalid_argument(
         tonic_status_messages::USERNAME_RESERVED,
       ));
     }
 
     if let Some(fid) = &message.farcaster_id {
       self.check_farcaster_id_taken(fid).await?;
     }
 
     let registration_state = construct_user_registration_info(
       &message,
       None,
       message.username.clone(),
       message.farcaster_id.clone(),
     )?;
     let server_registration = comm_opaque2::server::Registration::new();
     let server_message = server_registration
       .start(
         &CONFIG.server_setup,
         &message.opaque_registration_request,
         message.username.as_bytes(),
       )
       .map_err(protocol_error_to_grpc_status)?;
     let session_id = self
       .client
       .insert_workflow(WorkflowInProgress::Registration(Box::new(
         registration_state,
       )))
       .await
       .map_err(handle_db_error)?;
 
     let response = RegistrationStartResponse {
       session_id,
       opaque_registration_response: server_message,
     };
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn register_reserved_password_user_start(
     &self,
     request: tonic::Request<ReservedRegistrationStartRequest>,
   ) -> Result<tonic::Response<RegistrationStartResponse>, tonic::Status> {
     let message = request.into_inner();
     self.check_username_taken(&message.username).await?;
 
     if RESERVED_USERNAME_SET.contains(&message.username) {
       return Err(tonic::Status::invalid_argument(
         tonic_status_messages::USERNAME_RESERVED,
       ));
     }
 
     let username_in_reserved_usernames_table = self
       .client
       .username_in_reserved_usernames_table(&message.username)
       .await
       .map_err(handle_db_error)?;
     if !username_in_reserved_usernames_table {
       return Err(tonic::Status::permission_denied("username not reserved"));
     }
 
     let user_id = validate_account_ownership_message_and_get_user_id(
       &message.username,
       &message.keyserver_message,
       &message.keyserver_signature,
     )?;
 
     let registration_state = construct_user_registration_info(
       &message,
       Some(user_id),
       message.username.clone(),
       None,
     )?;
     let server_registration = comm_opaque2::server::Registration::new();
     let server_message = server_registration
       .start(
         &CONFIG.server_setup,
         &message.opaque_registration_request,
         message.username.as_bytes(),
       )
       .map_err(protocol_error_to_grpc_status)?;
 
     let session_id = self
       .client
       .insert_workflow(WorkflowInProgress::Registration(Box::new(
         registration_state,
       )))
       .await
       .map_err(handle_db_error)?;
 
     let response = RegistrationStartResponse {
       session_id,
       opaque_registration_response: server_message,
     };
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn register_password_user_finish(
     &self,
     request: tonic::Request<RegistrationFinishRequest>,
   ) -> Result<tonic::Response<AuthResponse>, tonic::Status> {
     let platform_metadata = get_platform_metadata(&request)?;
     let message = request.into_inner();
 
     if let Some(WorkflowInProgress::Registration(state)) = self
       .client
       .get_workflow(message.session_id)
       .await
       .map_err(handle_db_error)?
     {
       let server_registration = comm_opaque2::server::Registration::new();
       let password_file = server_registration
         .finish(&message.opaque_registration_upload)
         .map_err(protocol_error_to_grpc_status)?;
 
       let login_time = chrono::Utc::now();
       let device_id = state.flattened_device_key_upload.device_id_key.clone();
       let username = state.username.clone();
       let user_id = self
         .client
         .add_password_user_to_users_table(
           *state,
           password_file,
           platform_metadata,
           login_time,
         )
         .await
         .map_err(handle_db_error)?;
 
       // Create access token
       let token = AccessTokenData::with_created_time(
         user_id.clone(),
         device_id,
         login_time,
         crate::token::AuthType::Password,
         &mut OsRng,
       );
 
       let access_token = token.access_token.clone();
 
       self
         .client
         .put_access_token_data(token)
         .await
         .map_err(handle_db_error)?;
 
       let response = AuthResponse {
         user_id,
         access_token,
         username,
       };
       Ok(Response::new(response))
     } else {
-      Err(tonic::Status::not_found("session not found"))
+      Err(tonic::Status::not_found(
+        tonic_status_messages::SESSION_NOT_FOUND,
+      ))
     }
   }
 
   #[tracing::instrument(skip_all)]
   async fn log_in_password_user_start(
     &self,
     request: tonic::Request<OpaqueLoginStartRequest>,
   ) -> Result<tonic::Response<OpaqueLoginStartResponse>, tonic::Status> {
     let message = request.into_inner();
 
     debug!("Attempting to log in user: {:?}", &message.username);
     let user_id_and_password_file = self
       .client
       .get_user_id_and_password_file_from_username(&message.username)
       .await
       .map_err(handle_db_error)?;
 
     let (user_id, password_file_bytes) =
       if let Some(data) = user_id_and_password_file {
         data
       } else {
         // It's possible that the user attempting login is already registered
         // on Ashoat's keyserver. If they are, we should send back a gRPC status
         // code instructing them to get a signed message from Ashoat's keyserver
         // in order to claim their username and register with the Identity
         // service.
         let username_in_reserved_usernames_table = self
           .client
           .username_in_reserved_usernames_table(&message.username)
           .await
           .map_err(handle_db_error)?;
 
         if username_in_reserved_usernames_table {
           return Err(tonic::Status::permission_denied(
             "need keyserver message to claim username",
           ));
         }
 
         return Err(tonic::Status::not_found(
           tonic_status_messages::USER_NOT_FOUND,
         ));
       };
 
     let flattened_device_key_upload =
       construct_flattened_device_key_upload(&message)?;
 
     let maybe_device_to_remove = self
       .get_keyserver_device_to_remove(
         &user_id,
         &flattened_device_key_upload.device_id_key,
         message.force.unwrap_or(false),
         &flattened_device_key_upload.device_type,
       )
       .await?;
 
     let mut server_login = comm_opaque2::server::Login::new();
     let server_response = server_login
       .start(
         &CONFIG.server_setup,
         &password_file_bytes,
         &message.opaque_login_request,
         message.username.as_bytes(),
       )
       .map_err(protocol_error_to_grpc_status)?;
 
     let login_state = construct_user_login_info(
       user_id,
       message.username,
       server_login,
       flattened_device_key_upload,
       maybe_device_to_remove,
     )?;
 
     let session_id = self
       .client
       .insert_workflow(WorkflowInProgress::Login(Box::new(login_state)))
       .await
       .map_err(handle_db_error)?;
 
     let response = Response::new(OpaqueLoginStartResponse {
       session_id,
       opaque_login_response: server_response,
     });
     Ok(response)
   }
 
   #[tracing::instrument(skip_all)]
   async fn log_in_password_user_finish(
     &self,
     request: tonic::Request<OpaqueLoginFinishRequest>,
   ) -> Result<tonic::Response<AuthResponse>, tonic::Status> {
     let platform_metadata = get_platform_metadata(&request)?;
     let message = request.into_inner();
 
     if let Some(WorkflowInProgress::Login(state)) = self
       .client
       .get_workflow(message.session_id)
       .await
       .map_err(handle_db_error)?
     {
       let mut server_login = state.opaque_server_login.clone();
       server_login
         .finish(&message.opaque_login_upload)
         .map_err(protocol_error_to_grpc_status)?;
 
       if let Some(device_to_remove) = state.device_to_remove {
         self
           .client
           .remove_device(state.user_id.clone(), device_to_remove)
           .await
           .map_err(handle_db_error)?;
       }
 
       let login_time = chrono::Utc::now();
       self
         .client
         .add_user_device(
           state.user_id.clone(),
           state.flattened_device_key_upload.clone(),
           platform_metadata,
           login_time,
         )
         .await
         .map_err(handle_db_error)?;
 
       // Create access token
       let token = AccessTokenData::with_created_time(
         state.user_id.clone(),
         state.flattened_device_key_upload.device_id_key,
         login_time,
         crate::token::AuthType::Password,
         &mut OsRng,
       );
 
       let access_token = token.access_token.clone();
 
       self
         .client
         .put_access_token_data(token)
         .await
         .map_err(handle_db_error)?;
 
       let response = AuthResponse {
         user_id: state.user_id,
         access_token,
         username: state.username,
       };
       Ok(Response::new(response))
     } else {
-      Err(tonic::Status::not_found("session not found"))
+      Err(tonic::Status::not_found(
+        tonic_status_messages::SESSION_NOT_FOUND,
+      ))
     }
   }
 
   #[tracing::instrument(skip_all)]
   async fn log_in_wallet_user(
     &self,
     request: tonic::Request<WalletAuthRequest>,
   ) -> Result<tonic::Response<AuthResponse>, tonic::Status> {
     let platform_metadata = get_platform_metadata(&request)?;
     let message = request.into_inner();
 
     // WalletAuthRequest is used for both log_in_wallet_user and register_wallet_user
     if !message.initial_device_list.is_empty() {
       return Err(tonic::Status::invalid_argument(
         "unexpected initial device list",
       ));
     }
 
     let parsed_message = parse_and_verify_siwe_message(
       &message.siwe_message,
       &message.siwe_signature,
     )?;
 
     self.verify_and_remove_nonce(&parsed_message.nonce).await?;
 
     let wallet_address = eip55(&parsed_message.address);
 
     let flattened_device_key_upload =
       construct_flattened_device_key_upload(&message)?;
 
     let login_time = chrono::Utc::now();
     let Some(user_id) = self
       .client
       .get_user_id_from_user_info(wallet_address.clone(), &AuthType::Wallet)
       .await
       .map_err(handle_db_error)?
     else {
       // It's possible that the user attempting login is already registered
       // on Ashoat's keyserver. If they are, we should send back a gRPC status
       // code instructing them to get a signed message from Ashoat's keyserver
       // in order to claim their wallet address and register with the Identity
       // service.
       let username_in_reserved_usernames_table = self
         .client
         .username_in_reserved_usernames_table(&wallet_address)
         .await
         .map_err(handle_db_error)?;
 
       if username_in_reserved_usernames_table {
         return Err(tonic::Status::permission_denied(
           "need keyserver message to claim username",
         ));
       }
 
       return Err(tonic::Status::not_found(
         tonic_status_messages::USER_NOT_FOUND,
       ));
     };
 
     self
       .client
       .add_user_device(
         user_id.clone(),
         flattened_device_key_upload.clone(),
         platform_metadata,
         chrono::Utc::now(),
       )
       .await
       .map_err(handle_db_error)?;
 
     // Create access token
     let token = AccessTokenData::with_created_time(
       user_id.clone(),
       flattened_device_key_upload.device_id_key,
       login_time,
       crate::token::AuthType::Wallet,
       &mut OsRng,
     );
 
     let access_token = token.access_token.clone();
 
     self
       .client
       .put_access_token_data(token)
       .await
       .map_err(handle_db_error)?;
 
     let response = AuthResponse {
       user_id,
       access_token,
       username: wallet_address,
     };
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn register_wallet_user(
     &self,
     request: tonic::Request<WalletAuthRequest>,
   ) -> Result<tonic::Response<AuthResponse>, tonic::Status> {
     let platform_metadata = get_platform_metadata(&request)?;
     let message = request.into_inner();
 
     let parsed_message = parse_and_verify_siwe_message(
       &message.siwe_message,
       &message.siwe_signature,
     )?;
 
     match self
       .client
       .get_nonce_from_nonces_table(&parsed_message.nonce)
       .await
       .map_err(handle_db_error)?
     {
       None => {
         return Err(tonic::Status::invalid_argument(
           tonic_status_messages::INVALID_NONCE,
         ))
       }
       Some(nonce) if nonce.is_expired() => {
         // we don't need to remove the nonce from the table here
         // because the DynamoDB TTL will take care of it
         return Err(tonic::Status::aborted(
           tonic_status_messages::NONCE_EXPIRED,
         ));
       }
       Some(_) => self
         .client
         .remove_nonce_from_nonces_table(&parsed_message.nonce)
         .await
         .map_err(handle_db_error)?,
     };
 
     let wallet_address = eip55(&parsed_message.address);
 
     self.check_wallet_address_taken(&wallet_address).await?;
     let username_in_reserved_usernames_table = self
       .client
       .username_in_reserved_usernames_table(&wallet_address)
       .await
       .map_err(handle_db_error)?;
 
     if username_in_reserved_usernames_table {
       return Err(tonic::Status::already_exists(
         tonic_status_messages::WALLET_ADDRESS_TAKEN,
       ));
     }
 
     if let Some(fid) = &message.farcaster_id {
       self.check_farcaster_id_taken(fid).await?;
     }
 
     let flattened_device_key_upload =
       construct_flattened_device_key_upload(&message)?;
 
     let login_time = chrono::Utc::now();
 
     let initial_device_list = message.get_and_verify_initial_device_list()?;
     let social_proof =
       SocialProof::new(message.siwe_message, message.siwe_signature);
 
     let user_id = self
       .client
       .add_wallet_user_to_users_table(
         flattened_device_key_upload.clone(),
         wallet_address.clone(),
         social_proof,
         None,
         platform_metadata,
         login_time,
         message.farcaster_id,
         initial_device_list,
       )
       .await
       .map_err(handle_db_error)?;
 
     // Create access token
     let token = AccessTokenData::with_created_time(
       user_id.clone(),
       flattened_device_key_upload.device_id_key,
       login_time,
       crate::token::AuthType::Wallet,
       &mut OsRng,
     );
 
     let access_token = token.access_token.clone();
 
     self
       .client
       .put_access_token_data(token)
       .await
       .map_err(handle_db_error)?;
 
     let response = AuthResponse {
       user_id,
       access_token,
       username: wallet_address,
     };
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn register_reserved_wallet_user(
     &self,
     request: tonic::Request<ReservedWalletRegistrationRequest>,
   ) -> Result<tonic::Response<AuthResponse>, tonic::Status> {
     let platform_metadata = get_platform_metadata(&request)?;
     let message = request.into_inner();
 
     let parsed_message = parse_and_verify_siwe_message(
       &message.siwe_message,
       &message.siwe_signature,
     )?;
 
     self.verify_and_remove_nonce(&parsed_message.nonce).await?;
 
     let wallet_address = eip55(&parsed_message.address);
 
     self.check_wallet_address_taken(&wallet_address).await?;
 
     let wallet_address_in_reserved_usernames_table = self
       .client
       .username_in_reserved_usernames_table(&wallet_address)
       .await
       .map_err(handle_db_error)?;
     if !wallet_address_in_reserved_usernames_table {
       return Err(tonic::Status::permission_denied(
         tonic_status_messages::WALLET_ADDRESS_NOT_RESERVED,
       ));
     }
 
     let user_id = validate_account_ownership_message_and_get_user_id(
       &wallet_address,
       &message.keyserver_message,
       &message.keyserver_signature,
     )?;
 
     let flattened_device_key_upload =
       construct_flattened_device_key_upload(&message)?;
 
     let initial_device_list = message.get_and_verify_initial_device_list()?;
     let social_proof =
       SocialProof::new(message.siwe_message, message.siwe_signature);
 
     let login_time = chrono::Utc::now();
     self
       .client
       .add_wallet_user_to_users_table(
         flattened_device_key_upload.clone(),
         wallet_address.clone(),
         social_proof,
         Some(user_id.clone()),
         platform_metadata,
         login_time,
         None,
         initial_device_list,
       )
       .await
       .map_err(handle_db_error)?;
 
     let token = AccessTokenData::with_created_time(
       user_id.clone(),
       flattened_device_key_upload.device_id_key,
       login_time,
       crate::token::AuthType::Wallet,
       &mut OsRng,
     );
 
     let access_token = token.access_token.clone();
 
     self
       .client
       .put_access_token_data(token)
       .await
       .map_err(handle_db_error)?;
 
     let response = AuthResponse {
       user_id,
       access_token,
       username: wallet_address,
     };
 
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn upload_keys_for_registered_device_and_log_in(
     &self,
     request: tonic::Request<SecondaryDeviceKeysUploadRequest>,
   ) -> Result<tonic::Response<AuthResponse>, tonic::Status> {
     let platform_metadata = get_platform_metadata(&request)?;
     let message = request.into_inner();
 
     let challenge_response = SignedNonce::try_from(&message)?;
     let flattened_device_key_upload =
       construct_flattened_device_key_upload(&message)?;
 
     let user_id = message.user_id;
     let device_id = flattened_device_key_upload.device_id_key.clone();
 
     let nonce = challenge_response.verify_and_get_nonce(&device_id)?;
     self.verify_and_remove_nonce(&nonce).await?;
 
     let user_identity = self
       .client
       .get_user_identity(&user_id)
       .await
       .map_err(handle_db_error)?
       .ok_or_else(|| {
         tonic::Status::not_found(tonic_status_messages::USER_NOT_FOUND)
       })?;
 
     let Some(device_list) = self
       .client
       .get_current_device_list(&user_id)
       .await
       .map_err(handle_db_error)?
     else {
       warn!("User {} does not have valid device list. Secondary device auth impossible.", user_id);
       return Err(tonic::Status::aborted("device list error"));
     };
 
     if !device_list.device_ids.contains(&device_id) {
       return Err(tonic::Status::permission_denied(
         "device not in device list",
       ));
     }
 
     let login_time = chrono::Utc::now();
     let identifier = user_identity.identifier;
     let username = identifier.username().to_string();
     let token = AccessTokenData::with_created_time(
       user_id.clone(),
       device_id,
       login_time,
       identifier.into(),
       &mut OsRng,
     );
     let access_token = token.access_token.clone();
     self
       .client
       .put_access_token_data(token)
       .await
       .map_err(handle_db_error)?;
 
     self
       .client
       .put_device_data(
         &user_id,
         flattened_device_key_upload,
         platform_metadata,
         login_time,
       )
       .await
       .map_err(handle_db_error)?;
 
     let response = AuthResponse {
       user_id,
       access_token,
       username,
     };
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn log_in_existing_device(
     &self,
     request: tonic::Request<ExistingDeviceLoginRequest>,
   ) -> std::result::Result<tonic::Response<AuthResponse>, tonic::Status> {
     let message = request.into_inner();
     let challenge_response = SignedNonce::try_from(&message)?;
     let ExistingDeviceLoginRequest {
       user_id, device_id, ..
     } = message;
 
     let nonce = challenge_response.verify_and_get_nonce(&device_id)?;
     self.verify_and_remove_nonce(&nonce).await?;
 
     let (identity_response, device_list_response) = tokio::join!(
       self.client.get_user_identity(&user_id),
       self.client.get_current_device_list(&user_id)
     );
     let user_identity =
       identity_response.map_err(handle_db_error)?.ok_or_else(|| {
         tonic::Status::not_found(tonic_status_messages::USER_NOT_FOUND)
       })?;
 
     let device_list = device_list_response
       .map_err(handle_db_error)?
       .ok_or_else(|| {
         warn!("User {} does not have a valid device list.", user_id);
         tonic::Status::aborted("device list error")
       })?;
 
     if !device_list.device_ids.contains(&device_id) {
       return Err(tonic::Status::permission_denied(
         "device not in device list",
       ));
     }
 
     let login_time = chrono::Utc::now();
     let identifier = user_identity.identifier;
     let username = identifier.username().to_string();
     let token = AccessTokenData::with_created_time(
       user_id.clone(),
       device_id,
       login_time,
       identifier.into(),
       &mut OsRng,
     );
     let access_token = token.access_token.clone();
     self
       .client
       .put_access_token_data(token)
       .await
       .map_err(handle_db_error)?;
 
     let response = AuthResponse {
       user_id,
       access_token,
       username,
     };
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn generate_nonce(
     &self,
     _request: tonic::Request<Empty>,
   ) -> Result<tonic::Response<GenerateNonceResponse>, tonic::Status> {
     let nonce_data = generate_nonce_data(&mut OsRng);
     match self
       .client
       .add_nonce_to_nonces_table(nonce_data.clone())
       .await
     {
       Ok(_) => Ok(Response::new(GenerateNonceResponse {
         nonce: nonce_data.nonce,
       })),
       Err(e) => Err(handle_db_error(e)),
     }
   }
 
   #[tracing::instrument(skip_all)]
   async fn verify_user_access_token(
     &self,
     request: tonic::Request<VerifyUserAccessTokenRequest>,
   ) -> Result<tonic::Response<VerifyUserAccessTokenResponse>, tonic::Status> {
     let message = request.into_inner();
     debug!("Verifying device: {}", &message.device_id);
 
     let token_valid = self
       .client
       .verify_access_token(
         message.user_id,
         message.device_id.clone(),
         message.access_token,
       )
       .await
       .map_err(handle_db_error)?;
 
     let response = Response::new(VerifyUserAccessTokenResponse { token_valid });
     debug!(
       "device {} was verified: {}",
       &message.device_id, token_valid
     );
     Ok(response)
   }
 
   #[tracing::instrument(skip_all)]
   async fn add_reserved_usernames(
     &self,
     request: tonic::Request<AddReservedUsernamesRequest>,
   ) -> Result<tonic::Response<Empty>, tonic::Status> {
     let message = request.into_inner();
 
     let user_details = validate_add_reserved_usernames_message(
       &message.message,
       &message.signature,
     )?;
 
     let filtered_user_details = self
       .client
       .filter_out_taken_usernames(user_details)
       .await
       .map_err(handle_db_error)?;
 
     self
       .client
       .add_usernames_to_reserved_usernames_table(filtered_user_details)
       .await
       .map_err(handle_db_error)?;
 
     let response = Response::new(Empty {});
     Ok(response)
   }
 
   #[tracing::instrument(skip_all)]
   async fn remove_reserved_username(
     &self,
     request: tonic::Request<RemoveReservedUsernameRequest>,
   ) -> Result<tonic::Response<Empty>, tonic::Status> {
     let message = request.into_inner();
 
     let username = validate_remove_reserved_username_message(
       &message.message,
       &message.signature,
     )?;
 
     self
       .client
       .delete_username_from_reserved_usernames_table(username)
       .await
       .map_err(handle_db_error)?;
 
     let response = Response::new(Empty {});
     Ok(response)
   }
 
   #[tracing::instrument(skip_all)]
   async fn ping(
     &self,
     _request: tonic::Request<Empty>,
   ) -> Result<Response<Empty>, tonic::Status> {
     let response = Response::new(Empty {});
     Ok(response)
   }
 
   #[tracing::instrument(skip_all)]
   async fn find_user_id(
     &self,
     request: tonic::Request<FindUserIdRequest>,
   ) -> Result<tonic::Response<FindUserIdResponse>, tonic::Status> {
     let message = request.into_inner();
 
     use find_user_id_request::Identifier;
     let (user_ident, auth_type) = match message.identifier {
       None => {
         return Err(tonic::Status::invalid_argument("no identifier provided"))
       }
       Some(Identifier::Username(username)) => (username, AuthType::Password),
       Some(Identifier::WalletAddress(address)) => (address, AuthType::Wallet),
     };
 
     let (is_reserved_result, user_id_result) = tokio::join!(
       self
         .client
         .username_in_reserved_usernames_table(&user_ident),
       self
         .client
         .get_user_id_from_user_info(user_ident.clone(), &auth_type),
     );
     let is_reserved = is_reserved_result.map_err(handle_db_error)?;
     let user_id = user_id_result.map_err(handle_db_error)?;
 
     Ok(Response::new(FindUserIdResponse {
       user_id,
       is_reserved,
     }))
   }
 
   #[tracing::instrument(skip_all)]
   async fn get_farcaster_users(
     &self,
     request: tonic::Request<GetFarcasterUsersRequest>,
   ) -> Result<tonic::Response<GetFarcasterUsersResponse>, tonic::Status> {
     let message = request.into_inner();
 
     let farcaster_users = self
       .client
       .get_farcaster_users(message.farcaster_ids)
       .await
       .map_err(handle_db_error)?
       .into_iter()
       .map(|d| d.0)
       .collect();
 
     Ok(Response::new(GetFarcasterUsersResponse { farcaster_users }))
   }
 }
 
 impl ClientService {
   async fn check_username_taken(
     &self,
     username: &str,
   ) -> Result<(), tonic::Status> {
     let username_taken = self
       .client
       .username_taken(username.to_string())
       .await
       .map_err(handle_db_error)?;
     if username_taken {
       return Err(tonic::Status::already_exists(
         tonic_status_messages::USERNAME_ALREADY_EXISTS,
       ));
     }
     Ok(())
   }
 
   async fn check_wallet_address_taken(
     &self,
     wallet_address: &str,
   ) -> Result<(), tonic::Status> {
     let wallet_address_taken = self
       .client
       .wallet_address_taken(wallet_address.to_string())
       .await
       .map_err(handle_db_error)?;
     if wallet_address_taken {
       return Err(tonic::Status::already_exists(
         tonic_status_messages::WALLET_ADDRESS_TAKEN,
       ));
     }
     Ok(())
   }
 
   async fn check_farcaster_id_taken(
     &self,
     farcaster_id: &str,
   ) -> Result<(), tonic::Status> {
     let fid_already_registered = !self
       .client
       .get_farcaster_users(vec![farcaster_id.to_string()])
       .await
       .map_err(handle_db_error)?
       .is_empty();
     if fid_already_registered {
       return Err(tonic::Status::already_exists(
-        "farcaster ID already associated with different user",
+        tonic_status_messages::FID_TAKEN,
       ));
     }
     Ok(())
   }
 
   async fn verify_and_remove_nonce(
     &self,
     nonce: &str,
   ) -> Result<(), tonic::Status> {
     match self
       .client
       .get_nonce_from_nonces_table(nonce)
       .await
       .map_err(handle_db_error)?
     {
       None => {
         return Err(tonic::Status::invalid_argument(
           tonic_status_messages::INVALID_NONCE,
         ))
       }
       Some(nonce) if nonce.is_expired() => {
         // we don't need to remove the nonce from the table here
         // because the DynamoDB TTL will take care of it
         return Err(tonic::Status::aborted(
           tonic_status_messages::NONCE_EXPIRED,
         ));
       }
       Some(nonce_data) => self
         .client
         .remove_nonce_from_nonces_table(&nonce_data.nonce)
         .await
         .map_err(handle_db_error)?,
     };
     Ok(())
   }
 
   async fn get_keyserver_device_to_remove(
     &self,
     user_id: &str,
     new_keyserver_device_id: &str,
     force: bool,
     device_type: &DeviceType,
   ) -> Result<Option<String>, tonic::Status> {
     if device_type != &DeviceType::Keyserver {
       return Ok(None);
     }
 
     let maybe_keyserver_device_id = self
       .client
       .get_keyserver_device_id_for_user(user_id)
       .await
       .map_err(handle_db_error)?;
 
     let Some(existing_keyserver_device_id) = maybe_keyserver_device_id else {
       return Ok(None);
     };
 
     if new_keyserver_device_id == existing_keyserver_device_id {
       return Ok(None);
     }
 
     if force {
       info!(
         "keyserver {} will be removed from the device list",
         existing_keyserver_device_id
       );
       Ok(Some(existing_keyserver_device_id))
     } else {
       Err(tonic::Status::already_exists(
         "user already has a keyserver",
       ))
     }
   }
 }
 
 #[tracing::instrument(skip_all)]
 pub fn handle_db_error(db_error: DBError) -> tonic::Status {
   match db_error {
     DBError::AwsSdk(DynamoDBError::InternalServerError(_))
     | DBError::AwsSdk(DynamoDBError::ProvisionedThroughputExceededException(
       _,
     ))
     | DBError::AwsSdk(DynamoDBError::RequestLimitExceeded(_)) => {
       tonic::Status::unavailable("please retry")
     }
     DBError::DeviceList(DeviceListError::InvalidDeviceListUpdate) => {
       tonic::Status::invalid_argument("invalid device list update")
     }
     DBError::DeviceList(DeviceListError::InvalidSignature) => {
       tonic::Status::invalid_argument("invalid device list signature")
     }
     e => {
       error!(
         errorType = error_types::GENERIC_DB_LOG,
         "Encountered an unexpected error: {}", e
       );
       tonic::Status::failed_precondition("unexpected error")
     }
   }
 }
 
 fn construct_user_registration_info(
   message: &(impl DeviceKeyUploadActions + RegistrationActions),
   user_id: Option<String>,
   username: String,
   farcaster_id: Option<String>,
 ) -> Result<UserRegistrationInfo, tonic::Status> {
   Ok(UserRegistrationInfo {
     username,
     flattened_device_key_upload: construct_flattened_device_key_upload(
       message,
     )?,
     user_id,
     farcaster_id,
     initial_device_list: message.get_and_verify_initial_device_list()?,
   })
 }
 
 fn construct_user_login_info(
   user_id: String,
   username: String,
   opaque_server_login: comm_opaque2::server::Login,
   flattened_device_key_upload: FlattenedDeviceKeyUpload,
   device_to_remove: Option<String>,
 ) -> Result<UserLoginInfo, tonic::Status> {
   Ok(UserLoginInfo {
     user_id,
     username,
     flattened_device_key_upload,
     opaque_server_login,
     device_to_remove,
   })
 }
 
 fn construct_flattened_device_key_upload(
   message: &impl DeviceKeyUploadActions,
 ) -> Result<FlattenedDeviceKeyUpload, tonic::Status> {
   let key_info = KeyPayload::from_str(&message.payload()?).map_err(|_| {
     tonic::Status::invalid_argument(tonic_status_messages::MALFORMED_PAYLOAD)
   })?;
 
   let flattened_device_key_upload = FlattenedDeviceKeyUpload {
     device_id_key: key_info.primary_identity_public_keys.ed25519,
     key_payload: message.payload()?,
     key_payload_signature: message.payload_signature()?,
     content_prekey: message.content_prekey()?,
     content_prekey_signature: message.content_prekey_signature()?,
     content_one_time_keys: message.one_time_content_prekeys()?,
     notif_prekey: message.notif_prekey()?,
     notif_prekey_signature: message.notif_prekey_signature()?,
     notif_one_time_keys: message.one_time_notif_prekeys()?,
     device_type: DeviceType::try_from(DBDeviceTypeInt(message.device_type()?))
       .map_err(handle_db_error)?,
   };
 
   Ok(flattened_device_key_upload)
 }
diff --git a/services/identity/src/constants.rs b/services/identity/src/constants.rs
index 82d81d12e..6d0df9e13 100644
--- a/services/identity/src/constants.rs
+++ b/services/identity/src/constants.rs
@@ -1,312 +1,319 @@
 use tokio::time::Duration;
 
 // Secrets
 
 pub const SECRETS_DIRECTORY: &str = "secrets";
 pub const SECRETS_SETUP_FILE: &str = "server_setup.txt";
 
 // DynamoDB
 
 // User table information, supporting opaque_ke 2.0 and X3DH information
 
 // Users can sign in either through username+password or Eth wallet.
 //
 // This structure should be aligned with the messages defined in
 // shared/protos/identity_unauthenticated.proto
 //
 // Structure for a user should be:
 // {
 //   userID: String,
 //   opaqueRegistrationData: Option<String>,
 //   username: Option<String>,
 //   walletAddress: Option<String>,
 //   devices: HashMap<String, Device>
 // }
 //
 // A device is defined as:
 // {
 //     deviceType: String, # client or keyserver
 //     keyPayload: String,
 //     keyPayloadSignature: String,
 //     identityPreKey: String,
 //     identityPreKeySignature: String,
 //     identityOneTimeKeys: Vec<String>,
 //     notifPreKey: String,
 //     notifPreKeySignature: String,
 //     notifOneTimeKeys: Vec<String>,
 //     socialProof: Option<String>
 //   }
 // }
 //
 // Additional context:
 // "devices" uses the signing public identity key of the device as a key for the devices map
 // "keyPayload" is a JSON encoded string containing identity and notif keys (both signature and verification)
 // if "deviceType" == "keyserver", then the device will not have any notif key information
 
 pub const USERS_TABLE: &str = "identity-users";
 pub const USERS_TABLE_PARTITION_KEY: &str = "userID";
 pub const USERS_TABLE_REGISTRATION_ATTRIBUTE: &str = "opaqueRegistrationData";
 pub const USERS_TABLE_USERNAME_ATTRIBUTE: &str = "username";
 pub const USERS_TABLE_DEVICES_MAP_DEVICE_TYPE_ATTRIBUTE_NAME: &str =
   "deviceType";
 pub const USERS_TABLE_WALLET_ADDRESS_ATTRIBUTE: &str = "walletAddress";
 pub const USERS_TABLE_SOCIAL_PROOF_ATTRIBUTE_NAME: &str = "socialProof";
 pub const USERS_TABLE_DEVICELIST_TIMESTAMP_ATTRIBUTE_NAME: &str =
   "deviceListTimestamp";
 pub const USERS_TABLE_FARCASTER_ID_ATTRIBUTE_NAME: &str = "farcasterID";
 pub const USERS_TABLE_USERNAME_INDEX: &str = "username-index";
 pub const USERS_TABLE_WALLET_ADDRESS_INDEX: &str = "walletAddress-index";
 pub const USERS_TABLE_FARCASTER_ID_INDEX: &str = "farcasterID-index";
 
 pub mod token_table {
   pub const NAME: &str = "identity-tokens";
   pub const PARTITION_KEY: &str = "userID";
   pub const SORT_KEY: &str = "signingPublicKey";
   pub const ATTR_CREATED: &str = "created";
   pub const ATTR_AUTH_TYPE: &str = "authType";
   pub const ATTR_VALID: &str = "valid";
   pub const ATTR_TOKEN: &str = "token";
 }
 
 pub const NONCE_TABLE: &str = "identity-nonces";
 pub const NONCE_TABLE_PARTITION_KEY: &str = "nonce";
 pub const NONCE_TABLE_CREATED_ATTRIBUTE: &str = "created";
 pub const NONCE_TABLE_EXPIRATION_TIME_ATTRIBUTE: &str = "expirationTime";
 pub const NONCE_TABLE_EXPIRATION_TIME_UNIX_ATTRIBUTE: &str =
   "expirationTimeUnix";
 
 pub const WORKFLOWS_IN_PROGRESS_TABLE: &str = "identity-workflows-in-progress";
 pub const WORKFLOWS_IN_PROGRESS_PARTITION_KEY: &str = "id";
 pub const WORKFLOWS_IN_PROGRESS_WORKFLOW_ATTRIBUTE: &str = "workflow";
 pub const WORKFLOWS_IN_PROGRESS_TABLE_EXPIRATION_TIME_UNIX_ATTRIBUTE: &str =
   "expirationTimeUnix";
 
 // Usernames reserved because they exist in Ashoat's keyserver already
 pub const RESERVED_USERNAMES_TABLE: &str = "identity-reserved-usernames";
 pub const RESERVED_USERNAMES_TABLE_PARTITION_KEY: &str = "username";
 pub const RESERVED_USERNAMES_TABLE_USER_ID_ATTRIBUTE: &str = "userID";
 
 // Users table social proof attribute
 pub const SOCIAL_PROOF_MESSAGE_ATTRIBUTE: &str = "siweMessage";
 pub const SOCIAL_PROOF_SIGNATURE_ATTRIBUTE: &str = "siweSignature";
 
 pub mod devices_table {
   /// table name
   pub const NAME: &str = "identity-devices";
   pub const TIMESTAMP_INDEX_NAME: &str = "deviceList-timestamp-index";
   pub const DEVICE_ID_INDEX_NAME: &str = "deviceID-index";
 
   /// partition key
   pub const ATTR_USER_ID: &str = "userID";
   /// sort key
   pub const ATTR_ITEM_ID: &str = "itemID";
 
   // itemID prefixes (one shouldn't be a prefix of the other)
   pub const DEVICE_ITEM_KEY_PREFIX: &str = "device-";
   pub const DEVICE_LIST_KEY_PREFIX: &str = "devicelist-";
 
   // device-specific attrs
   pub const ATTR_DEVICE_KEY_INFO: &str = "deviceKeyInfo";
   pub const ATTR_CONTENT_PREKEY: &str = "contentPreKey";
   pub const ATTR_NOTIF_PREKEY: &str = "notifPreKey";
   pub const ATTR_PLATFORM_DETAILS: &str = "platformDetails";
   pub const ATTR_LOGIN_TIME: &str = "loginTime";
 
   // IdentityKeyInfo constants
   pub const ATTR_KEY_PAYLOAD: &str = "keyPayload";
   pub const ATTR_KEY_PAYLOAD_SIGNATURE: &str = "keyPayloadSignature";
 
   // PreKey constants
   pub const ATTR_PREKEY: &str = "preKey";
   pub const ATTR_PREKEY_SIGNATURE: &str = "preKeySignature";
 
   // PlatformDetails constants
   pub const ATTR_DEVICE_TYPE: &str = "deviceType";
   pub const ATTR_CODE_VERSION: &str = "codeVersion";
   pub const ATTR_STATE_VERSION: &str = "stateVersion";
   pub const ATTR_MAJOR_DESKTOP_VERSION: &str = "majorDesktopVersion";
 
   // device-list-specific attrs
   pub const ATTR_TIMESTAMP: &str = "timestamp";
   pub const ATTR_DEVICE_IDS: &str = "deviceIDs";
   pub const ATTR_CURRENT_SIGNATURE: &str = "curPrimarySignature";
   pub const ATTR_LAST_SIGNATURE: &str = "lastPrimarySignature";
 
   // one-time key constants
   pub const ATTR_CONTENT_OTK_COUNT: &str = "contentOTKCount";
   pub const ATTR_NOTIF_OTK_COUNT: &str = "notifOTKCount";
 
   // deprecated attributes
   pub const OLD_ATTR_DEVICE_TYPE: &str = "deviceType";
   pub const OLD_ATTR_CODE_VERSION: &str = "codeVersion";
 }
 
 // One time keys table, which need to exist in their own table to ensure
 // atomicity of additions and removals
 pub mod one_time_keys_table {
   pub const NAME: &str = "identity-one-time-keys";
   pub const PARTITION_KEY: &str = "userID#deviceID#olmAccount";
   pub const SORT_KEY: &str = "timestamp#keyNumber";
   pub const ATTR_ONE_TIME_KEY: &str = "oneTimeKey";
 }
 
 // Tokio
 
 pub const MPSC_CHANNEL_BUFFER_CAPACITY: usize = 1;
 pub const IDENTITY_SERVICE_SOCKET_ADDR: &str = "[::]:50054";
 pub const IDENTITY_SERVICE_WEBSOCKET_ADDR: &str = "[::]:51004";
 
 pub const SOCKET_HEARTBEAT_TIMEOUT: Duration = Duration::from_secs(3);
 
 // Token
 
 pub const ACCESS_TOKEN_LENGTH: usize = 512;
 
 // Temporary config
 
 pub const AUTH_TOKEN: &str = "COMM_IDENTITY_SERVICE_AUTH_TOKEN";
 pub const KEYSERVER_PUBLIC_KEY: &str = "KEYSERVER_PUBLIC_KEY";
 
 // Nonce
 
 pub const NONCE_LENGTH: usize = 17;
 pub const NONCE_TTL_DURATION: Duration = Duration::from_secs(120); // seconds
 
 // Device list
 
 pub const DEVICE_LIST_TIMESTAMP_VALID_FOR: Duration = Duration::from_secs(300);
 
 // Workflows in progress
 
 pub const WORKFLOWS_IN_PROGRESS_TTL_DURATION: Duration =
   Duration::from_secs(120);
 
 // Identity
 
 pub const DEFAULT_IDENTITY_ENDPOINT: &str = "http://localhost:50054";
 
 // LocalStack
 
 pub const LOCALSTACK_ENDPOINT: &str = "LOCALSTACK_ENDPOINT";
 
 // OPAQUE Server Setup
 
 pub const OPAQUE_SERVER_SETUP: &str = "OPAQUE_SERVER_SETUP";
 
 // Identity Search
 
 pub const OPENSEARCH_ENDPOINT: &str = "OPENSEARCH_ENDPOINT";
 pub const DEFAULT_OPENSEARCH_ENDPOINT: &str =
   "identity-search-domain.us-east-2.opensearch.localhost.localstack.cloud:4566";
 pub const IDENTITY_SEARCH_INDEX: &str = "users";
 pub const IDENTITY_SEARCH_RESULT_SIZE: u32 = 20;
 
 // Log Error Types
 
 pub mod error_types {
   pub const GENERIC_DB_LOG: &str = "DB Error";
   pub const OTK_DB_LOG: &str = "One-time Key DB Error";
   pub const DEVICE_LIST_DB_LOG: &str = "Device List DB Error";
   pub const TOKEN_DB_LOG: &str = "Token DB Error";
   pub const FARCASTER_DB_LOG: &str = "Farcaster DB Error";
 
   pub const SYNC_LOG: &str = "Sync Error";
   pub const SEARCH_LOG: &str = "Search Error";
   pub const SIWE_LOG: &str = "SIWE Error";
   pub const GRPC_SERVICES_LOG: &str = "gRPC Services Error";
   pub const TUNNELBROKER_LOG: &str = "Tunnelbroker Error";
   pub const HTTP_LOG: &str = "HTTP Error";
 }
 
 // Tonic Status Messages
 pub mod tonic_status_messages {
   pub const UNEXPECTED_MESSAGE_DATA: &str = "unexpected_message_data";
   pub const SIGNATURE_INVALID: &str = "signature_invalid";
   pub const MALFORMED_KEY: &str = "malformed_key";
   pub const VERIFICATION_FAILED: &str = "verification_failed";
   pub const MALFORMED_PAYLOAD: &str = "malformed_payload";
   pub const INVALID_DEVICE_LIST_PAYLOAD: &str = "invalid_device_list_payload";
   pub const USERNAME_ALREADY_EXISTS: &str = "username_already_exists";
   pub const USERNAME_RESERVED: &str = "username_reserved";
   pub const WALLET_ADDRESS_TAKEN: &str = "wallet_address_taken";
   pub const WALLET_ADDRESS_NOT_RESERVED: &str = "wallet_address_not_reserved";
   pub const USER_NOT_FOUND: &str = "user_not_found";
   pub const INVALID_NONCE: &str = "invalid_nonce";
   pub const NONCE_EXPIRED: &str = "nonce_expired";
+  pub const FID_TAKEN: &str = "fid_taken";
+  pub const CANNOT_LINK_FID: &str = "cannot_link_fid";
+  pub const INVALID_PLATFORM_METADATA: &str = "invalid_platform_metadata";
+  pub const MISSING_CREDENTIALS: &str = "missing_credentials";
+  pub const BAD_CREDENTIALS: &str = "bad_credentials";
+  pub const SESSION_NOT_FOUND: &str = "session_not_found";
+  pub const INVALID_TIMESTAMP: &str = "invalid_timestamp";
 }
 
 // Tunnelbroker
 pub const TUNNELBROKER_GRPC_ENDPOINT: &str = "TUNNELBROKER_GRPC_ENDPOINT";
 pub const DEFAULT_TUNNELBROKER_ENDPOINT: &str = "http://localhost:50051";
 
 // X3DH key management
 
 // Threshold for requesting more one_time keys
 pub const ONE_TIME_KEY_MINIMUM_THRESHOLD: usize = 5;
 // Number of keys to be refreshed when below the threshold
 pub const ONE_TIME_KEY_REFRESH_NUMBER: u32 = 5;
 
 // Minimum supported code versions
 
 pub const MIN_SUPPORTED_NATIVE_VERSION: u64 = 270;
 
 // Request metadata
 
 pub mod request_metadata {
   pub const CODE_VERSION: &str = "code_version";
   pub const STATE_VERSION: &str = "state_version";
   pub const MAJOR_DESKTOP_VERSION: &str = "major_desktop_version";
   pub const DEVICE_TYPE: &str = "device_type";
   pub const USER_ID: &str = "user_id";
   pub const DEVICE_ID: &str = "device_id";
   pub const ACCESS_TOKEN: &str = "access_token";
 }
 
 // CORS
 
 pub mod cors {
   use std::time::Duration;
 
   pub const DEFAULT_MAX_AGE: Duration = Duration::from_secs(24 * 60 * 60);
   pub const DEFAULT_EXPOSED_HEADERS: [&str; 3] =
     ["grpc-status", "grpc-message", "grpc-status-details-bin"];
   pub const DEFAULT_ALLOW_HEADERS: [&str; 11] = [
     "x-grpc-web",
     "content-type",
     "x-user-agent",
     "grpc-timeout",
     super::request_metadata::CODE_VERSION,
     super::request_metadata::STATE_VERSION,
     super::request_metadata::MAJOR_DESKTOP_VERSION,
     super::request_metadata::DEVICE_TYPE,
     super::request_metadata::USER_ID,
     super::request_metadata::DEVICE_ID,
     super::request_metadata::ACCESS_TOKEN,
   ];
   pub const ALLOW_ORIGIN_LIST: &str = "ALLOW_ORIGIN_LIST";
   pub const PROD_ORIGIN_HOST_STR: &str = "web.comm.app";
 }
 
 // Tracing
 
 pub const COMM_SERVICES_USE_JSON_LOGS: &str = "COMM_SERVICES_USE_JSON_LOGS";
 
 // Regex
 
 pub const VALID_USERNAME_REGEX_STRING: &str =
   r"^[a-zA-Z0-9][a-zA-Z0-9-_]{0,190}$";
 
 // Retry
 
 // TODO: Replace this with `ExponentialBackoffConfig` from `comm-lib`
 pub mod retry {
   pub const MAX_ATTEMPTS: usize = 8;
 
   pub const CONDITIONAL_CHECK_FAILED: &str = "ConditionalCheckFailed";
   pub const TRANSACTION_CONFLICT: &str = "TransactionConflict";
 }
 
 // One-time keys
 pub const ONE_TIME_KEY_UPLOAD_LIMIT_PER_ACCOUNT: usize = 24;
 pub const ONE_TIME_KEY_SIZE: usize = 43; // as defined in olm
 pub const MAX_ONE_TIME_KEYS: usize = 100; // as defined in olm
diff --git a/services/identity/src/grpc_services/authenticated.rs b/services/identity/src/grpc_services/authenticated.rs
index 6e40d7145..56c248b2c 100644
--- a/services/identity/src/grpc_services/authenticated.rs
+++ b/services/identity/src/grpc_services/authenticated.rs
@@ -1,844 +1,857 @@
 use std::collections::HashMap;
 
 use crate::config::CONFIG;
 use crate::database::{DeviceListUpdate, PlatformDetails};
 use crate::device_list::SignedDeviceList;
 use crate::error::consume_error;
 use crate::{
   client_service::{handle_db_error, UpdateState, WorkflowInProgress},
   constants::{error_types, request_metadata, tonic_status_messages},
   database::DatabaseClient,
   grpc_services::shared::{get_platform_metadata, get_value},
 };
 use chrono::DateTime;
 use comm_opaque2::grpc::protocol_error_to_grpc_status;
 use tonic::{Request, Response, Status};
 use tracing::{debug, error, trace, warn};
 
 use super::protos::auth::{
   identity_client_service_server::IdentityClientService,
   DeletePasswordUserFinishRequest, DeletePasswordUserStartRequest,
   DeletePasswordUserStartResponse, GetDeviceListRequest, GetDeviceListResponse,
   InboundKeyInfo, InboundKeysForUserRequest, InboundKeysForUserResponse,
   KeyserverKeysResponse, LinkFarcasterAccountRequest, OutboundKeyInfo,
   OutboundKeysForUserRequest, OutboundKeysForUserResponse,
   PeersDeviceListsRequest, PeersDeviceListsResponse, RefreshUserPrekeysRequest,
   UpdateDeviceListRequest, UpdateUserPasswordFinishRequest,
   UpdateUserPasswordStartRequest, UpdateUserPasswordStartResponse,
   UploadOneTimeKeysRequest, UserDevicesPlatformDetails, UserIdentitiesRequest,
   UserIdentitiesResponse,
 };
 use super::protos::unauth::Empty;
 
 #[derive(derive_more::Constructor)]
 pub struct AuthenticatedService {
   db_client: DatabaseClient,
 }
 
 fn get_auth_info(req: &Request<()>) -> Option<(String, String, String)> {
   trace!("Retrieving auth info for request: {:?}", req);
 
   let user_id = get_value(req, request_metadata::USER_ID)?;
   let device_id = get_value(req, request_metadata::DEVICE_ID)?;
   let access_token = get_value(req, request_metadata::ACCESS_TOKEN)?;
 
   Some((user_id, device_id, access_token))
 }
 
 pub fn auth_interceptor(
   req: Request<()>,
   db_client: &DatabaseClient,
 ) -> Result<Request<()>, Status> {
   trace!("Intercepting request to check auth info: {:?}", req);
 
-  let (user_id, device_id, access_token) = get_auth_info(&req)
-    .ok_or_else(|| Status::unauthenticated("Missing credentials"))?;
+  let (user_id, device_id, access_token) =
+    get_auth_info(&req).ok_or_else(|| {
+      Status::unauthenticated(tonic_status_messages::MISSING_CREDENTIALS)
+    })?;
 
   let handle = tokio::runtime::Handle::current();
   let new_db_client = db_client.clone();
 
   // This function cannot be `async`, yet must call the async db call
   // Force tokio to resolve future in current thread without an explicit .await
   let valid_token = tokio::task::block_in_place(move || {
     handle
       .block_on(new_db_client.verify_access_token(
         user_id,
         device_id,
         access_token,
       ))
       .map_err(handle_db_error)
   })?;
 
   if !valid_token {
-    return Err(Status::aborted("Bad Credentials"));
+    return Err(Status::aborted(tonic_status_messages::BAD_CREDENTIALS));
   }
 
   Ok(req)
 }
 
 pub fn get_user_and_device_id<T>(
   request: &Request<T>,
 ) -> Result<(String, String), Status> {
   let user_id = get_value(request, request_metadata::USER_ID)
     .ok_or_else(|| Status::unauthenticated("Missing user_id field"))?;
   let device_id = get_value(request, request_metadata::DEVICE_ID)
     .ok_or_else(|| Status::unauthenticated("Missing device_id field"))?;
 
   Ok((user_id, device_id))
 }
 
 #[tonic::async_trait]
 impl IdentityClientService for AuthenticatedService {
   #[tracing::instrument(skip_all)]
   async fn refresh_user_prekeys(
     &self,
     request: Request<RefreshUserPrekeysRequest>,
   ) -> Result<Response<Empty>, Status> {
     let (user_id, device_id) = get_user_and_device_id(&request)?;
     let message = request.into_inner();
 
     debug!("Refreshing prekeys for user: {}", user_id);
 
     let content_keys = message
       .new_content_prekeys
       .ok_or_else(|| Status::invalid_argument("Missing content keys"))?;
     let notif_keys = message
       .new_notif_prekeys
       .ok_or_else(|| Status::invalid_argument("Missing notification keys"))?;
 
     self
       .db_client
       .update_device_prekeys(
         user_id,
         device_id,
         content_keys.into(),
         notif_keys.into(),
       )
       .await
       .map_err(handle_db_error)?;
 
     let response = Response::new(Empty {});
     Ok(response)
   }
 
   #[tracing::instrument(skip_all)]
   async fn get_outbound_keys_for_user(
     &self,
     request: tonic::Request<OutboundKeysForUserRequest>,
   ) -> Result<tonic::Response<OutboundKeysForUserResponse>, tonic::Status> {
     let message = request.into_inner();
     let user_id = &message.user_id;
 
     let devices_map = self
       .db_client
       .get_keys_for_user(user_id, true)
       .await
       .map_err(handle_db_error)?
       .ok_or_else(|| {
         tonic::Status::not_found(tonic_status_messages::USER_NOT_FOUND)
       })?;
 
     let transformed_devices = devices_map
       .into_iter()
       .map(|(key, device_info)| (key, OutboundKeyInfo::from(device_info)))
       .collect::<HashMap<_, _>>();
 
     Ok(tonic::Response::new(OutboundKeysForUserResponse {
       devices: transformed_devices,
     }))
   }
 
   #[tracing::instrument(skip_all)]
   async fn get_inbound_keys_for_user(
     &self,
     request: tonic::Request<InboundKeysForUserRequest>,
   ) -> Result<tonic::Response<InboundKeysForUserResponse>, tonic::Status> {
     let message = request.into_inner();
     let user_id = &message.user_id;
 
     let devices_map = self
       .db_client
       .get_keys_for_user(user_id, false)
       .await
       .map_err(handle_db_error)?
       .ok_or_else(|| {
         tonic::Status::not_found(tonic_status_messages::USER_NOT_FOUND)
       })?;
 
     let transformed_devices = devices_map
       .into_iter()
       .map(|(key, device_info)| (key, InboundKeyInfo::from(device_info)))
       .collect::<HashMap<_, _>>();
 
     let identifier = self
       .db_client
       .get_user_identity(user_id)
       .await
       .map_err(handle_db_error)?
       .ok_or_else(|| {
         tonic::Status::not_found(tonic_status_messages::USER_NOT_FOUND)
       })?;
 
     Ok(tonic::Response::new(InboundKeysForUserResponse {
       devices: transformed_devices,
       identity: Some(identifier.into()),
     }))
   }
 
   #[tracing::instrument(skip_all)]
   async fn get_keyserver_keys(
     &self,
     request: Request<OutboundKeysForUserRequest>,
   ) -> Result<Response<KeyserverKeysResponse>, Status> {
     let message = request.into_inner();
 
     let identifier = self
       .db_client
       .get_user_identity(&message.user_id)
       .await
       .map_err(handle_db_error)?
       .ok_or_else(|| {
         tonic::Status::not_found(tonic_status_messages::USER_NOT_FOUND)
       })?;
 
     let Some(keyserver_info) = self
       .db_client
       .get_keyserver_keys_for_user(&message.user_id)
       .await
       .map_err(handle_db_error)?
     else {
       return Err(Status::not_found("keyserver not found"));
     };
 
     let primary_device_data = self
       .db_client
       .get_primary_device_data(&message.user_id)
       .await
       .map_err(handle_db_error)?;
     let primary_device_keys = primary_device_data.device_key_info;
 
     let response = Response::new(KeyserverKeysResponse {
       keyserver_info: Some(keyserver_info.into()),
       identity: Some(identifier.into()),
       primary_device_identity_info: Some(primary_device_keys.into()),
     });
 
     return Ok(response);
   }
 
   #[tracing::instrument(skip_all)]
   async fn upload_one_time_keys(
     &self,
     request: tonic::Request<UploadOneTimeKeysRequest>,
   ) -> Result<tonic::Response<Empty>, tonic::Status> {
     let (user_id, device_id) = get_user_and_device_id(&request)?;
     let message = request.into_inner();
 
     debug!("Attempting to update one time keys for user: {}", user_id);
     self
       .db_client
       .append_one_time_prekeys(
         &user_id,
         &device_id,
         &message.content_one_time_prekeys,
         &message.notif_one_time_prekeys,
       )
       .await
       .map_err(handle_db_error)?;
 
     Ok(tonic::Response::new(Empty {}))
   }
 
   #[tracing::instrument(skip_all)]
   async fn update_user_password_start(
     &self,
     request: tonic::Request<UpdateUserPasswordStartRequest>,
   ) -> Result<tonic::Response<UpdateUserPasswordStartResponse>, tonic::Status>
   {
     let (user_id, _) = get_user_and_device_id(&request)?;
     let message = request.into_inner();
 
     let server_registration = comm_opaque2::server::Registration::new();
     let server_message = server_registration
       .start(
         &CONFIG.server_setup,
         &message.opaque_registration_request,
         user_id.as_bytes(),
       )
       .map_err(protocol_error_to_grpc_status)?;
 
     let update_state = UpdateState { user_id };
     let session_id = self
       .db_client
       .insert_workflow(WorkflowInProgress::Update(update_state))
       .await
       .map_err(handle_db_error)?;
 
     let response = UpdateUserPasswordStartResponse {
       session_id,
       opaque_registration_response: server_message,
     };
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn update_user_password_finish(
     &self,
     request: tonic::Request<UpdateUserPasswordFinishRequest>,
   ) -> Result<tonic::Response<Empty>, tonic::Status> {
     let message = request.into_inner();
 
     let Some(WorkflowInProgress::Update(state)) = self
       .db_client
       .get_workflow(message.session_id)
       .await
       .map_err(handle_db_error)?
     else {
-      return Err(tonic::Status::not_found("session not found"));
+      return Err(tonic::Status::not_found(
+        tonic_status_messages::SESSION_NOT_FOUND,
+      ));
     };
 
     let server_registration = comm_opaque2::server::Registration::new();
     let password_file = server_registration
       .finish(&message.opaque_registration_upload)
       .map_err(protocol_error_to_grpc_status)?;
 
     self
       .db_client
       .update_user_password(state.user_id, password_file)
       .await
       .map_err(handle_db_error)?;
 
     let response = Empty {};
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn log_out_user(
     &self,
     request: tonic::Request<Empty>,
   ) -> Result<tonic::Response<Empty>, tonic::Status> {
     let (user_id, device_id) = get_user_and_device_id(&request)?;
 
     self
       .db_client
       .remove_device(&user_id, &device_id)
       .await
       .map_err(handle_db_error)?;
 
     self
       .db_client
       .delete_otks_table_rows_for_user_device(&user_id, &device_id)
       .await
       .map_err(handle_db_error)?;
 
     self
       .db_client
       .delete_access_token_data(&user_id, device_id)
       .await
       .map_err(handle_db_error)?;
 
     let device_list = self
       .db_client
       .get_current_device_list(&user_id)
       .await
       .map_err(|err| {
         error!(
           user_id,
           errorType = error_types::GRPC_SERVICES_LOG,
           "Failed fetching device list: {err}"
         );
         handle_db_error(err)
       })?;
 
     let Some(device_list) = device_list else {
       error!(
         user_id,
         errorType = error_types::GRPC_SERVICES_LOG,
         "User has no device list!"
       );
       return Err(Status::failed_precondition("no device list"));
     };
 
     tokio::spawn(async move {
       debug!(
         "Sending device list updates to {:?}",
         device_list.device_ids
       );
       let device_ids: Vec<&str> =
         device_list.device_ids.iter().map(AsRef::as_ref).collect();
       let result =
         crate::tunnelbroker::send_device_list_update(&device_ids).await;
       consume_error(result);
     });
 
     let response = Empty {};
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn log_out_secondary_device(
     &self,
     request: tonic::Request<Empty>,
   ) -> Result<tonic::Response<Empty>, tonic::Status> {
     let (user_id, device_id) = get_user_and_device_id(&request)?;
 
     debug!(
       "Secondary device logout request for user_id={}, device_id={}",
       user_id, device_id
     );
     self
       .verify_device_on_device_list(
         &user_id,
         &device_id,
         DeviceListItemKind::Secondary,
       )
       .await?;
 
     self
       .db_client
       .delete_access_token_data(&user_id, &device_id)
       .await
       .map_err(handle_db_error)?;
 
     self
       .db_client
       .delete_otks_table_rows_for_user_device(&user_id, &device_id)
       .await
       .map_err(handle_db_error)?;
 
     let response = Empty {};
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn delete_wallet_user(
     &self,
     request: tonic::Request<Empty>,
   ) -> Result<tonic::Response<Empty>, tonic::Status> {
     let (user_id, _) = get_user_and_device_id(&request)?;
 
     debug!("Attempting to delete wallet user: {}", user_id);
 
     let maybe_username_and_password_file = self
       .db_client
       .get_username_and_password_file(&user_id)
       .await
       .map_err(handle_db_error)?;
 
     if maybe_username_and_password_file.is_some() {
       return Err(tonic::Status::permission_denied("password user"));
     }
 
     self
       .db_client
       .delete_user(user_id)
       .await
       .map_err(handle_db_error)?;
 
     let response = Empty {};
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn delete_password_user_start(
     &self,
     request: tonic::Request<DeletePasswordUserStartRequest>,
   ) -> Result<tonic::Response<DeletePasswordUserStartResponse>, tonic::Status>
   {
     let (user_id, _) = get_user_and_device_id(&request)?;
     let message = request.into_inner();
 
     debug!("Attempting to start deleting password user: {}", user_id);
     let maybe_username_and_password_file = self
       .db_client
       .get_username_and_password_file(&user_id)
       .await
       .map_err(handle_db_error)?;
 
     let Some((username, password_file_bytes)) =
       maybe_username_and_password_file
     else {
       return Err(tonic::Status::not_found(
         tonic_status_messages::USER_NOT_FOUND,
       ));
     };
 
     let mut server_login = comm_opaque2::server::Login::new();
     let server_response = server_login
       .start(
         &CONFIG.server_setup,
         &password_file_bytes,
         &message.opaque_login_request,
         username.as_bytes(),
       )
       .map_err(protocol_error_to_grpc_status)?;
 
     let delete_state = construct_delete_password_user_info(server_login);
 
     let session_id = self
       .db_client
       .insert_workflow(WorkflowInProgress::PasswordUserDeletion(Box::new(
         delete_state,
       )))
       .await
       .map_err(handle_db_error)?;
 
     let response = Response::new(DeletePasswordUserStartResponse {
       session_id,
       opaque_login_response: server_response,
     });
     Ok(response)
   }
 
   #[tracing::instrument(skip_all)]
   async fn delete_password_user_finish(
     &self,
     request: tonic::Request<DeletePasswordUserFinishRequest>,
   ) -> Result<tonic::Response<Empty>, tonic::Status> {
     let (user_id, _) = get_user_and_device_id(&request)?;
     let message = request.into_inner();
 
     debug!("Attempting to finish deleting password user: {}", user_id);
     let Some(WorkflowInProgress::PasswordUserDeletion(state)) = self
       .db_client
       .get_workflow(message.session_id)
       .await
       .map_err(handle_db_error)?
     else {
-      return Err(tonic::Status::not_found("session not found"));
+      return Err(tonic::Status::not_found(
+        tonic_status_messages::SESSION_NOT_FOUND,
+      ));
     };
 
     let mut server_login = state.opaque_server_login;
     server_login
       .finish(&message.opaque_login_upload)
       .map_err(protocol_error_to_grpc_status)?;
 
     self
       .db_client
       .delete_user(user_id)
       .await
       .map_err(handle_db_error)?;
 
     let response = Empty {};
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn get_device_list_for_user(
     &self,
     request: tonic::Request<GetDeviceListRequest>,
   ) -> Result<tonic::Response<GetDeviceListResponse>, tonic::Status> {
     let GetDeviceListRequest {
       user_id,
       since_timestamp,
     } = request.into_inner();
 
     let since = since_timestamp
       .map(|timestamp| {
-        DateTime::from_timestamp_millis(timestamp)
-          .ok_or_else(|| tonic::Status::invalid_argument("Invalid timestamp"))
+        DateTime::from_timestamp_millis(timestamp).ok_or_else(|| {
+          tonic::Status::invalid_argument(
+            tonic_status_messages::INVALID_TIMESTAMP,
+          )
+        })
       })
       .transpose()?;
 
     let mut db_result = self
       .db_client
       .get_device_list_history(user_id, since)
       .await
       .map_err(handle_db_error)?;
 
     // these should be sorted already, but just in case
     db_result.sort_by_key(|list| list.timestamp);
 
     let device_list_updates: Vec<SignedDeviceList> = db_result
       .into_iter()
       .map(SignedDeviceList::try_from)
       .collect::<Result<Vec<_>, _>>()?;
 
     let stringified_updates = device_list_updates
       .iter()
       .map(SignedDeviceList::as_json_string)
       .collect::<Result<Vec<_>, _>>()?;
 
     Ok(Response::new(GetDeviceListResponse {
       device_list_updates: stringified_updates,
     }))
   }
 
   #[tracing::instrument(skip_all)]
   async fn get_device_lists_for_users(
     &self,
     request: tonic::Request<PeersDeviceListsRequest>,
   ) -> Result<tonic::Response<PeersDeviceListsResponse>, tonic::Status> {
     let PeersDeviceListsRequest { user_ids } = request.into_inner();
     use crate::database::{DeviceListRow, DeviceRow};
 
     async fn get_current_device_list_and_data(
       db_client: DatabaseClient,
       user_id: &str,
     ) -> Result<(Option<DeviceListRow>, Vec<DeviceRow>), crate::error::Error>
     {
       let (list_result, data_result) = tokio::join!(
         db_client.get_current_device_list(user_id),
         db_client.get_current_devices(user_id)
       );
       Ok((list_result?, data_result?))
     }
 
     // do all fetches concurrently
     let mut fetch_tasks = tokio::task::JoinSet::new();
     let mut device_lists = HashMap::with_capacity(user_ids.len());
     let mut users_devices_platform_details =
       HashMap::with_capacity(user_ids.len());
     for user_id in user_ids {
       let db_client = self.db_client.clone();
       fetch_tasks.spawn(async move {
         let result =
           get_current_device_list_and_data(db_client, &user_id).await;
         (user_id, result)
       });
     }
 
     while let Some(task_result) = fetch_tasks.join_next().await {
       match task_result {
         Ok((user_id, Ok((device_list, devices_data)))) => {
           let Some(device_list_row) = device_list else {
             warn!(user_id, "User has no device list, skipping!");
             continue;
           };
           let signed_list = SignedDeviceList::try_from(device_list_row)?;
           let serialized_list = signed_list.as_json_string()?;
           device_lists.insert(user_id.clone(), serialized_list);
 
           let devices_platform_details = devices_data
             .into_iter()
             .map(|data| (data.device_id, data.platform_details.into()))
             .collect();
           users_devices_platform_details.insert(
             user_id,
             UserDevicesPlatformDetails {
               devices_platform_details,
             },
           );
         }
         Ok((user_id, Err(err))) => {
           error!(
             user_id,
             errorType = error_types::GRPC_SERVICES_LOG,
             "Failed fetching device list: {err}"
           );
           // abort fetching other users
           fetch_tasks.abort_all();
           return Err(handle_db_error(err));
         }
         Err(join_error) => {
           error!(
             errorType = error_types::GRPC_SERVICES_LOG,
             "Failed to join device list task: {join_error}"
           );
           fetch_tasks.abort_all();
           return Err(Status::aborted("unexpected error"));
         }
       }
     }
 
     let response = PeersDeviceListsResponse {
       users_device_lists: device_lists,
       users_devices_platform_details,
     };
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn update_device_list(
     &self,
     request: tonic::Request<UpdateDeviceListRequest>,
   ) -> Result<Response<Empty>, tonic::Status> {
     let (user_id, _device_id) = get_user_and_device_id(&request)?;
     // TODO: when we stop doing "primary device rotation" (migration procedure)
     // we should verify if this RPC is called by primary device only
 
     let new_list = SignedDeviceList::try_from(request.into_inner())?;
     let update = DeviceListUpdate::try_from(new_list)?;
     self
       .db_client
       .apply_devicelist_update(
         &user_id,
         update,
         crate::device_list::validation::update_device_list_rpc_validator,
       )
       .await
       .map_err(handle_db_error)?;
 
     Ok(Response::new(Empty {}))
   }
 
   #[tracing::instrument(skip_all)]
   async fn link_farcaster_account(
     &self,
     request: tonic::Request<LinkFarcasterAccountRequest>,
   ) -> Result<Response<Empty>, tonic::Status> {
     let (user_id, _) = get_user_and_device_id(&request)?;
     let message = request.into_inner();
 
     let mut get_farcaster_users_response = self
       .db_client
       .get_farcaster_users(vec![message.farcaster_id.clone()])
       .await
       .map_err(handle_db_error)?;
 
     if get_farcaster_users_response.len() > 1 {
       error!(
         errorType = error_types::GRPC_SERVICES_LOG,
         "multiple users associated with the same Farcaster ID"
       );
-      return Err(Status::failed_precondition("cannot link Farcaster ID"));
+      return Err(Status::failed_precondition(
+        tonic_status_messages::CANNOT_LINK_FID,
+      ));
     }
 
     if let Some(u) = get_farcaster_users_response.pop() {
       if u.0.user_id == user_id {
         return Ok(Response::new(Empty {}));
       } else {
-        return Err(Status::already_exists(
-          "farcaster ID already associated with different user",
-        ));
+        return Err(Status::already_exists(tonic_status_messages::FID_TAKEN));
       }
     }
 
     self
       .db_client
       .add_farcaster_id(user_id, message.farcaster_id)
       .await
       .map_err(handle_db_error)?;
 
     let response = Empty {};
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn unlink_farcaster_account(
     &self,
     request: tonic::Request<Empty>,
   ) -> Result<Response<Empty>, tonic::Status> {
     let (user_id, _) = get_user_and_device_id(&request)?;
 
     self
       .db_client
       .remove_farcaster_id(user_id)
       .await
       .map_err(handle_db_error)?;
 
     let response = Empty {};
     Ok(Response::new(response))
   }
 
   #[tracing::instrument(skip_all)]
   async fn find_user_identities(
     &self,
     request: tonic::Request<UserIdentitiesRequest>,
   ) -> Result<Response<UserIdentitiesResponse>, tonic::Status> {
     let message = request.into_inner();
 
     let results = self
       .db_client
       .find_db_user_identities(message.user_ids)
       .await
       .map_err(handle_db_error)?;
 
     let mapped_results = results
       .into_iter()
       .map(|(user_id, identifier)| (user_id, identifier.into()))
       .collect();
 
     let response = UserIdentitiesResponse {
       identities: mapped_results,
     };
     return Ok(Response::new(response));
   }
 
   #[tracing::instrument(skip_all)]
   async fn sync_platform_details(
     &self,
     request: tonic::Request<Empty>,
   ) -> Result<Response<Empty>, tonic::Status> {
     let (user_id, device_id) = get_user_and_device_id(&request)?;
     let platform_metadata = get_platform_metadata(&request)?;
     let platform_details = PlatformDetails::new(platform_metadata, None)
-      .map_err(|_| Status::invalid_argument("Invalid platform metadata"))?;
+      .map_err(|_| {
+        Status::invalid_argument(
+          tonic_status_messages::INVALID_PLATFORM_METADATA,
+        )
+      })?;
 
     self
       .db_client
       .update_device_platform_details(user_id, device_id, platform_details)
       .await
       .map_err(handle_db_error)?;
 
     Ok(Response::new(Empty {}))
   }
 }
 
 #[allow(dead_code)]
 enum DeviceListItemKind {
   Any,
   Primary,
   Secondary,
 }
 
 impl AuthenticatedService {
   async fn verify_device_on_device_list(
     &self,
     user_id: &String,
     device_id: &String,
     device_kind: DeviceListItemKind,
   ) -> Result<(), tonic::Status> {
     let device_list = self
       .db_client
       .get_current_device_list(user_id)
       .await
       .map_err(|err| {
         error!(
           user_id,
           errorType = error_types::GRPC_SERVICES_LOG,
           "Failed fetching device list: {err}"
         );
         handle_db_error(err)
       })?;
 
     let Some(device_list) = device_list else {
       error!(
         user_id,
         errorType = error_types::GRPC_SERVICES_LOG,
         "User has no device list!"
       );
       return Err(Status::failed_precondition("no device list"));
     };
 
     use DeviceListItemKind as DeviceKind;
     let device_on_list = match device_kind {
       DeviceKind::Any => device_list.has_device(device_id),
       DeviceKind::Primary => device_list.is_primary_device(device_id),
       DeviceKind::Secondary => device_list.has_secondary_device(device_id),
     };
 
     if !device_on_list {
       debug!(
         "Device {} not on device list for user {}",
         device_id, user_id
       );
       return Err(Status::permission_denied("device not on device list"));
     }
 
     Ok(())
   }
 }
 
 #[derive(Clone, serde::Serialize, serde::Deserialize)]
 pub struct DeletePasswordUserInfo {
   pub opaque_server_login: comm_opaque2::server::Login,
 }
 
 fn construct_delete_password_user_info(
   opaque_server_login: comm_opaque2::server::Login,
 ) -> DeletePasswordUserInfo {
   DeletePasswordUserInfo {
     opaque_server_login,
   }
 }