diff --git a/crates/common/src/auth/user.rs b/crates/common/src/auth/user.rs
index ca3d5c7..ab028d4 100644
--- a/crates/common/src/auth/user.rs
+++ b/crates/common/src/auth/user.rs
@@ -17,7 +17,6 @@
 
 use std::fmt;
 use time::OffsetDateTime;
-use uuid::Uuid;
 
 #[derive(Clone, Debug, Eq, PartialEq)]
 pub struct User {
@@ -43,12 +42,10 @@ impl fmt::Display for User {
 }
 
 impl User {
-    pub(crate) fn new(email: String) -> User {
+    pub(crate) fn new() -> User {
         User {
-            uuid: Uuid::parse_str("808c78e4-34bc-486a-902f-929e8b146d20")
-                .unwrap()
-                .to_string(),
-            email,
+            uuid: "808c78e4-34bc-486a-902f-929e8b146d20".to_string(),
+            email: "noreply@photos.network".to_string(),
             password: Option::None,
             lastname: Option::None,
             firstname: Option::None,
diff --git a/crates/common/src/http/extractors/optuser.rs b/crates/common/src/http/extractors/optuser.rs
index 64a75c1..1f2981d 100644
--- a/crates/common/src/http/extractors/optuser.rs
+++ b/crates/common/src/http/extractors/optuser.rs
@@ -41,7 +41,7 @@ where
                 let _auth_token = header.to_str().ok();
 
                 // TODO: verify auth token
-                Some(Self(Some(User::new("info@photos.network".to_string()))))
+                Some(Self(Some(User::new())))
             })
             .ok_or("".to_string())
     }
diff --git a/crates/common/src/http/extractors/user.rs b/crates/common/src/http/extractors/user.rs
index 2803b6f..5a9268e 100644
--- a/crates/common/src/http/extractors/user.rs
+++ b/crates/common/src/http/extractors/user.rs
@@ -40,7 +40,7 @@ where
             .ok_or((StatusCode::UNAUTHORIZED, "Unauthorized"))?;
 
         // TODO: get user for Authtoken
-        Ok(User::new("info@photos.network".to_string()))
+        Ok(User::new())
         // TODO: verify Token
         //        verify_auth_token(auth_header)
         //            .await
diff --git a/crates/database/src/sqlite.rs b/crates/database/src/sqlite.rs
index 72e242b..3e7c5a1 100644
--- a/crates/database/src/sqlite.rs
+++ b/crates/database/src/sqlite.rs
@@ -77,10 +77,9 @@ impl Database for SqliteDatabase {
 
     async fn create_user(&self, user: &User) -> Result<()> {
         let query = "INSERT INTO users (uuid, email, password, lastname, firstname) VALUES ($1, $2, $3, $4, $5)";
-        let id = Uuid::new_v4().hyphenated().to_string();
-        info!("create new user with id `{}`.", id);
+        info!("create new user with id `{}`.", &user.uuid);
         sqlx::query(query)
-            .bind(id)
+            .bind(&user.uuid)
             .bind(&user.email)
             .bind(&user.password)
             .bind(&user.lastname)
diff --git a/crates/media/src/api/routes/post_media.rs b/crates/media/src/api/routes/post_media.rs
index d33c60a..8a65065 100644
--- a/crates/media/src/api/routes/post_media.rs
+++ b/crates/media/src/api/routes/post_media.rs
@@ -84,7 +84,7 @@ pub(crate) async fn post_media(
             );
 
             Ok((
-                StatusCode::OK,
+                StatusCode::CREATED,
                 Json(ResponseId {
                     id: uuid.hyphenated().to_string(),
                 }),
diff --git a/crates/media/src/api/routes/post_media_id.rs b/crates/media/src/api/routes/post_media_id.rs
index 54373a9..a8cb977 100644
--- a/crates/media/src/api/routes/post_media_id.rs
+++ b/crates/media/src/api/routes/post_media_id.rs
@@ -21,12 +21,14 @@
 use axum::extract::{Multipart, Path, State};
 use axum::http::StatusCode;
 use axum::response::{IntoResponse, Redirect};
+use axum::Json;
 use common::auth::user::User;
 use tracing::{debug, info};
 use uuid::Uuid;
 
 use bytes::Bytes;
 
+use crate::api::routes::post_media::ResponseId;
 use crate::data::error::DataAccessError;
 use crate::repository::MediaRepositoryState;
 
@@ -71,7 +73,13 @@ pub(crate) async fn post_media_id(
         Ok(uuid) => {
             debug!("reference added. uuid={}", uuid.hyphenated().to_string());
 
-            Ok(uuid.hyphenated().to_string().into_response())
+            Ok((
+                StatusCode::CREATED,
+                Json(ResponseId {
+                    id: uuid.hyphenated().to_string(),
+                }),
+            )
+                .into_response())
         }
         Err(error) => match error {
             DataAccessError::AlreadyExist(id) => {
diff --git a/crates/media/src/repository.rs b/crates/media/src/repository.rs
index d4500e0..ac847e0 100644
--- a/crates/media/src/repository.rs
+++ b/crates/media/src/repository.rs
@@ -27,8 +27,7 @@ use std::fs;
 use std::path::Path;
 use std::sync::Arc;
 use time::OffsetDateTime;
-use tracing::log::warn;
-use tracing::{debug, info};
+use tracing::{debug, error, info, warn};
 use uuid::Uuid;
 
 #[allow(dead_code)]
@@ -112,6 +111,7 @@ impl MediaRepositoryTrait for MediaRepository {
         name: String,
         date_taken: OffsetDateTime,
     ) -> Result<Uuid, DataAccessError> {
+        debug!("user_id: {}", user_id.clone().hyphenated().to_string());
         let db_result = &self
             .database
             .create_media_item(
@@ -143,6 +143,7 @@ impl MediaRepositoryTrait for MediaRepository {
 
         info!("target {}", path.clone().to_str().unwrap().to_string());
         debug!("got {} bytes to handle", bytes.len());
+        let size = bytes.len();
 
         let file_result = tokio::fs::write(&path.join(&name), &bytes).await;
         match file_result {
@@ -161,16 +162,30 @@ impl MediaRepositoryTrait for MediaRepository {
             uuid: Uuid::new_v4().hyphenated().to_string(),
             filepath: path.clone().to_str().unwrap().to_string(),
             filename: name.to_string(),
-            size: 0u64,
+            size: size.try_into().unwrap(),
             description: "",
             last_modified: OffsetDateTime::now_utc(),
             is_missing: false,
         };
-        let _ = &self
+        let db_result = &self
             .database
-            .add_reference(media_id, name.as_str(), &reference)
+            .add_reference(
+                user_id.hyphenated().to_string().as_str(),
+                media_id,
+                &reference,
+            )
             .await;
-        Err(DataAccessError::OtherError)
+
+        match db_result {
+            Ok(uuid) => {
+                info!("added reference with id {}", uuid.clone());
+                Ok(Uuid::parse_str(uuid.as_str()).unwrap())
+            }
+            Err(e) => {
+                error!("Could not write reference to database! {:?}", e);
+                Err(DataAccessError::OtherError)
+            }
+        }
     }
 }
 
diff --git a/documentation/http/DSC_1234.NEF b/documentation/end-to-end/DSC_1234.NEF
similarity index 100%
rename from documentation/http/DSC_1234.NEF
rename to documentation/end-to-end/DSC_1234.NEF
diff --git a/documentation/end-to-end/file_upload.hurl b/documentation/end-to-end/file_upload.hurl
new file mode 100644
index 0000000..51c259d
--- /dev/null
+++ b/documentation/end-to-end/file_upload.hurl
@@ -0,0 +1,35 @@
+# create a new media item
+POST http://127.0.0.1:7777/media
+Authorization: FakeToken
+
+[MultipartFormData]
+name: DSC_1234
+date_taken: 1985-04-12T23:20:50.52Z
+
+HTTP 201
+
+[Asserts]
+jsonpath "$.id" != null
+
+[Captures]
+media_id: jsonpath "$.id"
+
+
+# upload reference to media item
+POST http://127.0.0.1:7777/media/{{media_id}}
+Authorization: FakeToken
+
+[MultipartFormData]
+name: DSC_1234.NEF
+file: file,DSC_1234.NEF;
+
+HTTP 201
+
+
+# check media item
+GET http://127.0.0.1:7777/media/{{media_id}}
+Authorization: FakeToken
+
+HTTP 200
+[Asserts]
+jsonpath "$.{{media_id}}.references" count == 1
diff --git a/documentation/http/get_media.hurl b/documentation/http/get_media.hurl
deleted file mode 100644
index 5abaa98..0000000
--- a/documentation/http/get_media.hurl
+++ /dev/null
@@ -1,5 +0,0 @@
-GET http://127.0.0.1:7777/media
-Authorization: FakeToken
-
-HTTP 200
-
diff --git a/documentation/http/post_media.hurl b/documentation/http/post_media.hurl
deleted file mode 100644
index 087391b..0000000
--- a/documentation/http/post_media.hurl
+++ /dev/null
@@ -1,12 +0,0 @@
-POST http://127.0.0.1:7777/media
-Authorization: FakeToken
-Connection: Keep-Alive
-
-[MultipartFormData]
-name: DSC_1234
-date_taken: 1985-04-12T23:20:50.52Z
-
-HTTP 200
-
-[Asserts]
-jsonpath "$.id" != null
diff --git a/documentation/http/post_media_id.hurl b/documentation/http/post_media_id.hurl
deleted file mode 100644
index 66f6fd6..0000000
--- a/documentation/http/post_media_id.hurl
+++ /dev/null
@@ -1,9 +0,0 @@
-POST http://127.0.0.1:7777/media/75889665-7df3-4edd-8b15-d80819f7a17
-Authorization: FakeToken
-Connection: Keep-Alive
-
-[MultipartFormData]
-name: DSC_1234.NEF
-file: file,DSC_1234.NEF;
-
-HTTP 200
diff --git a/src/lib.rs b/src/lib.rs
index adbd3ed..09a80f1 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -114,16 +114,13 @@ pub async fn start_server() -> Result<()> {
     let users = db.get_users().await?;
     if users.is_empty() {
         info!("No user found, create a default admin user. Please check `data/credentials.txt` for details.");
-        let default_user = "photo@photos.network";
+        let default_user = "noreply@photos.network";
         let default_pass = "unsecure";
         let path = Path::new(DATA_PATH).join("credentials.txt");
         let _ = fs::write(path, format!("{}\n{}", default_user, default_pass));
-        // let mut output = File::create(path)?;
-        // let line = "hello";
-        // write!(output, "{}\n{}", default_user, default_pass);
 
         let user = User {
-            uuid: "".to_string(),
+            uuid: "808c78e4-34bc-486a-902f-929e8b146d20".to_string(),
             email: default_user.to_string(),
             password: Some(default_pass.to_string()),
             lastname: Some("Admin".to_string()),
@@ -260,7 +257,7 @@ async fn status() -> Json<Status> {
 
     // TODO: print loaded plugins from appState
     let status = Status {
-        message: String::from("API running"),
+        message: String::from("API running."),
     };
     Json(status)
 }