diff --git a/cannamanage-api/src/main/java/de/cannamanage/api/controller/ConsentController.java b/cannamanage-api/src/main/java/de/cannamanage/api/controller/ConsentController.java
index d327764..1362df8 100644
--- a/cannamanage-api/src/main/java/de/cannamanage/api/controller/ConsentController.java
+++ b/cannamanage-api/src/main/java/de/cannamanage/api/controller/ConsentController.java
@@ -78,10 +78,21 @@ public class ConsentController {
     }
 
     private UUID resolveUserId(Authentication auth) {
-        String email = auth.getName();
-        return userRepository.findByEmailAndTenantId(email, TenantContext.getCurrentTenant())
-                .map(User::getId)
-                .orElseThrow(() -> new ResponseStatusException(NOT_FOUND, "User not found"));
+        // JwtAuthFilter sets the Authentication principal to the userId (the JWT subject),
+        // so auth.getName() is the userId UUID — NOT an email. Parse it directly and verify
+        // the user exists in the current tenant. (Previously this did findByEmailAndTenantId
+        // on auth.getName(), which searched the email column for a UUID → always "User not
+        // found" → 404/500 on every consent call.)
+        UUID userId;
+        try {
+            userId = UUID.fromString(auth.getName());
+        } catch (IllegalArgumentException e) {
+            throw new ResponseStatusException(NOT_FOUND, "User not found");
+        }
+        if (!userRepository.existsById(userId)) {
+            throw new ResponseStatusException(NOT_FOUND, "User not found");
+        }
+        return userId;
     }
 
     private ConsentResponse toResponse(Consent consent) {
diff --git a/cannamanage-api/src/main/java/de/cannamanage/api/controller/DsgvoController.java b/cannamanage-api/src/main/java/de/cannamanage/api/controller/DsgvoController.java
index 345c582..1ffee39 100644
--- a/cannamanage-api/src/main/java/de/cannamanage/api/controller/DsgvoController.java
+++ b/cannamanage-api/src/main/java/de/cannamanage/api/controller/DsgvoController.java
@@ -54,9 +54,17 @@ public class DsgvoController {
     }
 
     private UUID resolveUserId(Authentication auth) {
-        String email = auth.getName();
-        return userRepository.findByEmailAndTenantId(email, TenantContext.getCurrentTenant())
-                .map(User::getId)
-                .orElseThrow(() -> new ResponseStatusException(NOT_FOUND, "User not found"));
+        // JwtAuthFilter sets the Authentication principal to the userId (the JWT subject),
+        // so auth.getName() is the userId UUID — NOT an email. Parse it directly.
+        UUID userId;
+        try {
+            userId = UUID.fromString(auth.getName());
+        } catch (IllegalArgumentException e) {
+            throw new ResponseStatusException(NOT_FOUND, "User not found");
+        }
+        if (!userRepository.existsById(userId)) {
+            throw new ResponseStatusException(NOT_FOUND, "User not found");
+        }
+        return userId;
     }
 }