diff --git a/management/server/sql_store_test.go b/management/server/sql_store_test.go
index 211767bff..26cc653e8 100644
--- a/management/server/sql_store_test.go
+++ b/management/server/sql_store_test.go
@@ -577,29 +577,6 @@ func TestSqlite_GetTokenIDByHashedToken(t *testing.T) {
 	require.Equal(t, status.NotFound, parsedErr.Type(), "should return not found error")
 }
 
-func TestSqlite_GetUserByTokenID(t *testing.T) {
-	if runtime.GOOS == "windows" {
-		t.Skip("The SQLite store is not properly supported by Windows yet")
-	}
-
-	t.Setenv("NETBIRD_STORE_ENGINE", string(SqliteStoreEngine))
-	store, cleanUp, err := NewTestStoreFromSQL(context.Background(), "testdata/store.sql", t.TempDir())
-	t.Cleanup(cleanUp)
-	assert.NoError(t, err)
-
-	id := "9dj38s35-63fb-11ec-90d6-0242ac120003"
-
-	user, err := store.GetUserByPATID(context.Background(), LockingStrengthShare, id)
-	require.NoError(t, err)
-	require.NotNil(t, id, user)
-
-	_, err = store.GetUserByPATID(context.Background(), LockingStrengthShare, "non-existing-id")
-	require.Error(t, err)
-	parsedErr, ok := status.FromError(err)
-	require.True(t, ok)
-	require.Equal(t, status.NotFound, parsedErr.Type(), "should return not found error")
-}
-
 func TestMigrate(t *testing.T) {
 	if (os.Getenv("CI") == "true" && runtime.GOOS == "darwin") || runtime.GOOS == "windows" {
 		t.Skip("skip CI tests on darwin and windows")
@@ -966,23 +943,6 @@ func TestPostgresql_GetTokenIDByHashedToken(t *testing.T) {
 	require.Equal(t, id, token)
 }
 
-func TestPostgresql_GetUserByTokenID(t *testing.T) {
-	if (os.Getenv("CI") == "true" && runtime.GOOS == "darwin") || runtime.GOOS == "windows" {
-		t.Skip("skip CI tests on darwin and windows")
-	}
-
-	t.Setenv("NETBIRD_STORE_ENGINE", string(PostgresStoreEngine))
-	store, cleanUp, err := NewTestStoreFromSQL(context.Background(), "testdata/store.sql", t.TempDir())
-	t.Cleanup(cleanUp)
-	assert.NoError(t, err)
-
-	id := "9dj38s35-63fb-11ec-90d6-0242ac120003"
-
-	user, err := store.GetUserByPATID(context.Background(), LockingStrengthShare, id)
-	require.NoError(t, err)
-	require.Equal(t, id, user.PATs[id].ID)
-}
-
 func TestSqlite_GetTakenIPs(t *testing.T) {
 	t.Setenv("NETBIRD_STORE_ENGINE", string(SqliteStoreEngine))
 	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "testdata/extended-store.sql", t.TempDir())
@@ -1186,7 +1146,7 @@ func TestSqlite_CreateAndGetObjectInTransaction(t *testing.T) {
 	assert.NoError(t, err)
 }
 
-func TestSqlite_GetAccoundUsers(t *testing.T) {
+func TestSqlite_GetAccountUsers(t *testing.T) {
 	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "testdata/extended-store.sql", t.TempDir())
 	t.Cleanup(cleanup)
 	if err != nil {
@@ -2179,3 +2139,326 @@ func TestSqlStore_DeletePeer(t *testing.T) {
 	require.Error(t, err)
 	require.Nil(t, peer)
 }
+
+func TestSqlStore_GetAccountCreatedBy(t *testing.T) {
+	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "testdata/store.sql", t.TempDir())
+	t.Cleanup(cleanup)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name        string
+		accountID   string
+		expectError bool
+		createdBy   string
+	}{
+		{
+			name:        "existing account ID",
+			accountID:   "bf1c8084-ba50-4ce7-9439-34653001fc3b",
+			expectError: false,
+			createdBy:   "edafee4e-63fb-11ec-90d6-0242ac120003",
+		},
+		{
+			name:        "non-existing account ID",
+			accountID:   "nonexistent",
+			expectError: true,
+		},
+		{
+			name:        "empty account ID",
+			accountID:   "",
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			createdBy, err := store.GetAccountCreatedBy(context.Background(), LockingStrengthShare, tt.accountID)
+			if tt.expectError {
+				require.Error(t, err)
+				sErr, ok := status.FromError(err)
+				require.True(t, ok)
+				require.Equal(t, sErr.Type(), status.NotFound)
+				require.Empty(t, createdBy)
+			} else {
+				require.NoError(t, err)
+				require.NotNil(t, createdBy)
+				require.Equal(t, tt.createdBy, createdBy)
+			}
+		})
+	}
+
+}
+
+func TestSqlStore_GetUserByUserID(t *testing.T) {
+	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "testdata/extended-store.sql", t.TempDir())
+	t.Cleanup(cleanup)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name        string
+		userID      string
+		expectError bool
+	}{
+		{
+			name:        "retrieve existing user",
+			userID:      "edafee4e-63fb-11ec-90d6-0242ac120003",
+			expectError: false,
+		},
+		{
+			name:        "retrieve non-existing user",
+			userID:      "non-existing",
+			expectError: true,
+		},
+		{
+			name:        "retrieve with empty user ID",
+			userID:      "",
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			user, err := store.GetUserByUserID(context.Background(), LockingStrengthShare, tt.userID)
+			if tt.expectError {
+				require.Error(t, err)
+				sErr, ok := status.FromError(err)
+				require.True(t, ok)
+				require.Equal(t, sErr.Type(), status.NotFound)
+				require.Nil(t, user)
+			} else {
+				require.NoError(t, err)
+				require.NotNil(t, user)
+				require.Equal(t, tt.userID, user.Id)
+			}
+		})
+	}
+}
+
+func TestSqlStore_GetUserByPATID(t *testing.T) {
+	store, cleanUp, err := NewTestStoreFromSQL(context.Background(), "testdata/store.sql", t.TempDir())
+	t.Cleanup(cleanUp)
+	assert.NoError(t, err)
+
+	id := "9dj38s35-63fb-11ec-90d6-0242ac120003"
+
+	user, err := store.GetUserByPATID(context.Background(), LockingStrengthShare, id)
+	require.NoError(t, err)
+	require.Equal(t, "f4f6d672-63fb-11ec-90d6-0242ac120003", user.Id)
+}
+
+func TestSqlStore_SaveUser(t *testing.T) {
+	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "testdata/extended-store.sql", t.TempDir())
+	t.Cleanup(cleanup)
+	require.NoError(t, err)
+
+	accountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
+
+	user := &User{
+		Id:            "user-id",
+		AccountID:     accountID,
+		Role:          UserRoleAdmin,
+		IsServiceUser: false,
+		AutoGroups:    []string{"groupA", "groupB"},
+		Blocked:       false,
+		LastLogin:     time.Now().UTC(),
+		CreatedAt:     time.Now().UTC().Add(-time.Hour),
+		Issued:        UserIssuedIntegration,
+	}
+	err = store.SaveUser(context.Background(), LockingStrengthUpdate, user)
+	require.NoError(t, err)
+
+	saveUser, err := store.GetUserByUserID(context.Background(), LockingStrengthShare, user.Id)
+	require.NoError(t, err)
+	require.Equal(t, user.Id, saveUser.Id)
+	require.Equal(t, user.AccountID, saveUser.AccountID)
+	require.Equal(t, user.Role, saveUser.Role)
+	require.Equal(t, user.AutoGroups, saveUser.AutoGroups)
+	require.WithinDurationf(t, user.LastLogin, saveUser.LastLogin.UTC(), time.Millisecond, "LastLogin should be equal")
+	require.WithinDurationf(t, user.CreatedAt, saveUser.CreatedAt.UTC(), time.Millisecond, "CreatedAt should be equal")
+	require.Equal(t, user.Issued, saveUser.Issued)
+	require.Equal(t, user.Blocked, saveUser.Blocked)
+	require.Equal(t, user.IsServiceUser, saveUser.IsServiceUser)
+}
+
+func TestSqlStore_SaveUsers(t *testing.T) {
+	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "testdata/extended-store.sql", t.TempDir())
+	t.Cleanup(cleanup)
+	require.NoError(t, err)
+
+	accountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
+
+	accountUsers, err := store.GetAccountUsers(context.Background(), LockingStrengthShare, accountID)
+	require.NoError(t, err)
+	require.Len(t, accountUsers, 2)
+
+	users := []*User{
+		{
+			Id:         "user-1",
+			AccountID:  accountID,
+			Issued:     "api",
+			AutoGroups: []string{"groupA", "groupB"},
+		},
+		{
+			Id:         "user-2",
+			AccountID:  accountID,
+			Issued:     "integration",
+			AutoGroups: []string{"groupA"},
+		},
+	}
+	err = store.SaveUsers(context.Background(), LockingStrengthUpdate, users)
+	require.NoError(t, err)
+
+	accountUsers, err = store.GetAccountUsers(context.Background(), LockingStrengthShare, accountID)
+	require.NoError(t, err)
+	require.Len(t, accountUsers, 4)
+}
+
+func TestSqlStore_DeleteUser(t *testing.T) {
+	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "testdata/extended-store.sql", t.TempDir())
+	t.Cleanup(cleanup)
+	require.NoError(t, err)
+
+	accountID := "bf1c8084-ba50-4ce7-9439-34653001fc3b"
+	userID := "f4f6d672-63fb-11ec-90d6-0242ac120003"
+
+	err = store.DeleteUser(context.Background(), LockingStrengthUpdate, accountID, userID)
+	require.NoError(t, err)
+
+	user, err := store.GetUserByUserID(context.Background(), LockingStrengthShare, userID)
+	require.Error(t, err)
+	require.Nil(t, user)
+
+	userPATs, err := store.GetUserPATs(context.Background(), LockingStrengthShare, userID)
+	require.NoError(t, err)
+	require.Len(t, userPATs, 0)
+}
+
+func TestSqlStore_GetPATByID(t *testing.T) {
+	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "testdata/extended-store.sql", t.TempDir())
+	t.Cleanup(cleanup)
+	require.NoError(t, err)
+
+	userID := "f4f6d672-63fb-11ec-90d6-0242ac120003"
+
+	tests := []struct {
+		name        string
+		patID       string
+		expectError bool
+	}{
+		{
+			name:        "retrieve existing PAT",
+			patID:       "9dj38s35-63fb-11ec-90d6-0242ac120003",
+			expectError: false,
+		},
+		{
+			name:        "retrieve non-existing PAT",
+			patID:       "non-existing",
+			expectError: true,
+		},
+		{
+			name:        "retrieve with empty PAT ID",
+			patID:       "",
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			pat, err := store.GetPATByID(context.Background(), LockingStrengthShare, userID, tt.patID)
+			if tt.expectError {
+				require.Error(t, err)
+				sErr, ok := status.FromError(err)
+				require.True(t, ok)
+				require.Equal(t, sErr.Type(), status.NotFound)
+				require.Nil(t, pat)
+			} else {
+				require.NoError(t, err)
+				require.NotNil(t, pat)
+				require.Equal(t, tt.patID, pat.ID)
+			}
+		})
+	}
+}
+
+func TestSqlStore_GetUserPATs(t *testing.T) {
+	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "testdata/extended-store.sql", t.TempDir())
+	t.Cleanup(cleanup)
+	require.NoError(t, err)
+
+	userPATs, err := store.GetUserPATs(context.Background(), LockingStrengthShare, "f4f6d672-63fb-11ec-90d6-0242ac120003")
+	require.NoError(t, err)
+	require.Len(t, userPATs, 1)
+}
+
+func TestSqlStore_GetPATByHashedToken(t *testing.T) {
+	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "testdata/extended-store.sql", t.TempDir())
+	t.Cleanup(cleanup)
+	require.NoError(t, err)
+
+	pat, err := store.GetPATByHashedToken(context.Background(), LockingStrengthShare, "SoMeHaShEdToKeN")
+	require.NoError(t, err)
+	require.Equal(t, "9dj38s35-63fb-11ec-90d6-0242ac120003", pat.ID)
+}
+
+func TestSqlStore_MarkPATUsed(t *testing.T) {
+	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "testdata/extended-store.sql", t.TempDir())
+	t.Cleanup(cleanup)
+	require.NoError(t, err)
+
+	userID := "f4f6d672-63fb-11ec-90d6-0242ac120003"
+	patID := "9dj38s35-63fb-11ec-90d6-0242ac120003"
+
+	err = store.MarkPATUsed(context.Background(), LockingStrengthUpdate, patID)
+	require.NoError(t, err)
+
+	pat, err := store.GetPATByID(context.Background(), LockingStrengthShare, userID, patID)
+	require.NoError(t, err)
+	now := time.Now().UTC()
+	require.WithinRange(t, pat.LastUsed.UTC(), now.Add(-15*time.Second), now, "LastUsed should be within 1 second of now")
+}
+
+func TestSqlStore_SavePAT(t *testing.T) {
+	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "testdata/extended-store.sql", t.TempDir())
+	t.Cleanup(cleanup)
+	require.NoError(t, err)
+
+	userID := "edafee4e-63fb-11ec-90d6-0242ac120003"
+
+	pat := &PersonalAccessToken{
+		ID:             "pat-id",
+		UserID:         userID,
+		Name:           "token",
+		HashedToken:    "SoMeHaShEdToKeN",
+		ExpirationDate: time.Now().UTC().Add(12 * time.Hour),
+		CreatedBy:      userID,
+		CreatedAt:      time.Now().UTC().Add(time.Hour),
+		LastUsed:       time.Now().UTC().Add(-15 * time.Minute),
+	}
+	err = store.SavePAT(context.Background(), LockingStrengthUpdate, pat)
+	require.NoError(t, err)
+
+	savePAT, err := store.GetPATByID(context.Background(), LockingStrengthShare, userID, pat.ID)
+	require.NoError(t, err)
+	require.Equal(t, pat.ID, savePAT.ID)
+	require.Equal(t, pat.UserID, savePAT.UserID)
+	require.Equal(t, pat.HashedToken, savePAT.HashedToken)
+	require.Equal(t, pat.CreatedBy, savePAT.CreatedBy)
+	require.WithinDurationf(t, pat.ExpirationDate, savePAT.ExpirationDate.UTC(), time.Millisecond, "ExpirationDate should be equal")
+	require.WithinDurationf(t, pat.CreatedAt, savePAT.CreatedAt.UTC(), time.Millisecond, "CreatedAt should be equal")
+	require.WithinDurationf(t, pat.LastUsed, savePAT.LastUsed.UTC(), time.Millisecond, "LastUsed should be equal")
+}
+
+func TestSqlStore_DeletePAT(t *testing.T) {
+	store, cleanup, err := NewTestStoreFromSQL(context.Background(), "testdata/extended-store.sql", t.TempDir())
+	t.Cleanup(cleanup)
+	require.NoError(t, err)
+
+	userID := "f4f6d672-63fb-11ec-90d6-0242ac120003"
+	patID := "9dj38s35-63fb-11ec-90d6-0242ac120003"
+
+	err = store.DeletePAT(context.Background(), LockingStrengthUpdate, userID, patID)
+	require.NoError(t, err)
+
+	pat, err := store.GetPATByID(context.Background(), LockingStrengthShare, userID, patID)
+	require.Error(t, err)
+	require.Nil(t, pat)
+}
diff --git a/management/server/testdata/store.sql b/management/server/testdata/store.sql
index 168973cad..2c55e2e31 100644
--- a/management/server/testdata/store.sql
+++ b/management/server/testdata/store.sql
@@ -25,7 +25,7 @@ CREATE INDEX `idx_routes_account_id` ON `routes`(`account_id`);
 CREATE INDEX `idx_name_server_groups_account_id` ON `name_server_groups`(`account_id`);
 CREATE INDEX `idx_posture_checks_account_id` ON `posture_checks`(`account_id`);
 
-INSERT INTO accounts VALUES('bf1c8084-ba50-4ce7-9439-34653001fc3b','','2024-10-02 16:03:06.778746+02:00','test.com','private',1,'af1c8024-ha40-4ce2-9418-34653101fc3c','{"IP":"100.64.0.0","Mask":"//8AAA=="}','',0,'[]',0,86400000000000,0,0,0,'',NULL,NULL,NULL);
+INSERT INTO accounts VALUES('bf1c8084-ba50-4ce7-9439-34653001fc3b','edafee4e-63fb-11ec-90d6-0242ac120003','2024-10-02 16:03:06.778746+02:00','test.com','private',1,'af1c8024-ha40-4ce2-9418-34653101fc3c','{"IP":"100.64.0.0","Mask":"//8AAA=="}','',0,'[]',0,86400000000000,0,0,0,'',NULL,NULL,NULL);
 INSERT INTO "groups" VALUES('cs1tnh0hhcjnqoiuebeg','bf1c8084-ba50-4ce7-9439-34653001fc3b','All','api','[]',0,'');
 INSERT INTO setup_keys VALUES('','bf1c8084-ba50-4ce7-9439-34653001fc3b','A2C8E62B-38F5-4553-B31E-DD66C696CEBB','Default key','reusable','2021-08-19 20:46:20.005936822+02:00','2321-09-18 20:46:20.005936822+02:00','2021-08-19 20:46:20.005936822+02:00',0,0,'0001-01-01 00:00:00+00:00','["cs1tnh0hhcjnqoiuebeg"]',0,0);
 INSERT INTO users VALUES('edafee4e-63fb-11ec-90d6-0242ac120003','bf1c8084-ba50-4ce7-9439-34653001fc3b','admin',0,0,'','[]',0,'0001-01-01 00:00:00+00:00','2024-10-02 16:03:06.779156+02:00','api',0,'');
diff --git a/management/server/user_test.go b/management/server/user_test.go
index c599f6331..2f8c1bf70 100644
--- a/management/server/user_test.go
+++ b/management/server/user_test.go
@@ -786,7 +786,7 @@ func TestUser_DeleteUser_RegularUsers(t *testing.T) {
 		{
 			name:               "Delete non-existent user",
 			userIDs:            []string{"non-existent-user"},
-			expectedReasons:    []string{"target user: non-existent-user not found"},
+			expectedReasons:    []string{"user: non-existent-user not found"},
 			expectedNotDeleted: []string{},
 		},
 		{