diff --git a/src/ApiKernel.php b/src/ApiKernel.php
index 2b6666a..dd29714 100644
--- a/src/ApiKernel.php
+++ b/src/ApiKernel.php
@@ -1863,6 +1863,7 @@ class ApiKernel
     private function getCustomerSettings(int $customerId): array
     {
         if ($customerId <= 0) return [];
+        $this->ensureCustomerSettingsTableExists();
         $table = $this->customerSettingsTable();
         $stmt = $this->pdo->prepare("SELECT * FROM `$table` WHERE `customer_id` = :id LIMIT 1");
         $stmt->execute([':id' => $customerId]);
@@ -1873,6 +1874,7 @@ class ApiKernel
     private function saveCustomerSettings(int $customerId, array $data): array
     {
         if ($customerId <= 0) return [];
+        $this->ensureCustomerSettingsTableExists();
         $allowed = ['bridge_url', 'bridge_token', 'sender_token', 'external_api_token', 'bridge_tables'];
         $fields = array_intersect_key($data, array_flip($allowed));
         if (!$fields) return $this->getCustomerSettings($customerId);
@@ -1990,6 +1992,29 @@ class ApiKernel
         return 'emailtemplate_customer_settings';
     }
 
+    private function ensureCustomerSettingsTableExists(): void
+    {
+        $table = $this->customerSettingsTable();
+        if ($this->tableExists($table)) {
+            return;
+        }
+        $sql = <<<SQL
+CREATE TABLE IF NOT EXISTS `$table` (
+  `customer_id` int(10) unsigned NOT NULL,
+  `bridge_url` varchar(500) DEFAULT NULL,
+  `bridge_token` varchar(255) DEFAULT NULL,
+  `sender_token` varchar(255) DEFAULT NULL,
+  `external_api_token` varchar(255) DEFAULT NULL,
+  `bridge_tables` text DEFAULT NULL,
+  `created_at` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  `updated_at` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+  PRIMARY KEY (`customer_id`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci
+SQL;
+        $this->pdo->exec($sql);
+        $this->tableExistsCache[$table] = true;
+    }
+
     private function generateToken(int $length = 48): string
     {
         return rtrim(strtr(base64_encode(random_bytes($length)), '+/', '-_'), '=');
@@ -2215,13 +2240,14 @@ class ApiKernel
         return password_hash($password, PASSWORD_DEFAULT);
     }
 
-    private function ensureOwner(array $user): void
+    private function ensureOwner(array &$user): void
     {
         $this->ensureRole($user, ['owner']);
     }
 
-    private function ensureRole(array $user, array $roles): void
+    private function ensureRole(array &$user, array $roles): void
     {
+        $user = $this->ensureAuthUserHydrated($user);
         $role = strtolower((string)($user['role'] ?? ''));
         $allowed = array_values(array_unique(array_map('strtolower', $roles)));
         if (!in_array($role, $allowed, true)) {