diff --git a/src/api/client/alias.rs b/src/api/client/alias.rs
index 319e5141..9cd7e0c5 100644
--- a/src/api/client/alias.rs
+++ b/src/api/client/alias.rs
@@ -92,7 +92,7 @@ pub(crate) async fn get_alias_route(
 
 	let Ok((room_id, servers)) = services.rooms.alias.resolve_alias(&room_alias, None).await
 	else {
-		return Err!(Request(NotFound("Room with alias not found.")));
+		return Err!(Request(Unknown("Room with alias not found.")));
 	};
 
 	let servers = room_available_servers(&services, &room_id, &room_alias, servers).await;
diff --git a/src/api/client/context.rs b/src/api/client/context.rs
index 3f16c850..cb95dfef 100644
--- a/src/api/client/context.rs
+++ b/src/api/client/context.rs
@@ -1,6 +1,6 @@
 use axum::extract::State;
 use conduwuit::{
-	Err, PduEvent, Result, at, err, ref_at,
+	Err, PduEvent, Result, at, debug_warn, err, ref_at,
 	utils::{
 		IterStream,
 		future::TryExtExt,
@@ -35,8 +35,13 @@ pub(crate) async fn get_context_route(
 	let sender = body.sender();
 	let (sender_user, sender_device) = sender;
 	let room_id = &body.room_id;
+	let event_id = &body.event_id;
 	let filter = &body.filter;
 
+	if !services.rooms.metadata.exists(room_id).await {
+		return Err!(Request(Forbidden("Room does not exist to this server")));
+	}
+
 	// Use limit or else 10, with maximum 100
 	let limit: usize = body
 		.limit
@@ -47,29 +52,30 @@ pub(crate) async fn get_context_route(
 	let base_id = services
 		.rooms
 		.timeline
-		.get_pdu_id(&body.event_id)
+		.get_pdu_id(event_id)
 		.map_err(|_| err!(Request(NotFound("Event not found."))));
 
 	let base_pdu = services
 		.rooms
 		.timeline
-		.get_pdu(&body.event_id)
+		.get_pdu(event_id)
 		.map_err(|_| err!(Request(NotFound("Base event not found."))));
 
 	let visible = services
 		.rooms
 		.state_accessor
-		.user_can_see_event(sender_user, &body.room_id, &body.event_id)
+		.user_can_see_event(sender_user, room_id, event_id)
 		.map(Ok);
 
 	let (base_id, base_pdu, visible) = try_join3(base_id, base_pdu, visible).await?;
 
-	if base_pdu.room_id != body.room_id || base_pdu.event_id != body.event_id {
+	if base_pdu.room_id != *room_id || base_pdu.event_id != *event_id {
 		return Err!(Request(NotFound("Base event not found.")));
 	}
 
 	if !visible {
-		return Err!(Request(Forbidden("You don't have permission to view this event.")));
+		debug_warn!(req_evt = ?event_id, ?base_id, ?room_id, "Event requested by {sender_user} but is not allowed to see it, returning 404");
+		return Err!(Request(NotFound("Event not found.")));
 	}
 
 	let base_count = base_id.pdu_count();
diff --git a/src/api/client/state.rs b/src/api/client/state.rs
index c92091eb..d04aac35 100644
--- a/src/api/client/state.rs
+++ b/src/api/client/state.rs
@@ -27,7 +27,7 @@ pub(crate) async fn send_state_event_for_key_route(
 	State(services): State<crate::State>,
 	body: Ruma<send_state_event::v3::Request>,
 ) -> Result<send_state_event::v3::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
+	let sender_user = body.sender_user();
 
 	Ok(send_state_event::v3::Response {
 		event_id: send_state_event_for_key_helper(
@@ -103,7 +103,7 @@ pub(crate) async fn get_state_events_for_key_route(
 	State(services): State<crate::State>,
 	body: Ruma<get_state_events_for_key::v3::Request>,
 ) -> Result<get_state_events_for_key::v3::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
+	let sender_user = body.sender_user();
 
 	if !services
 		.rooms
@@ -111,7 +111,9 @@ pub(crate) async fn get_state_events_for_key_route(
 		.user_can_see_state_events(sender_user, &body.room_id)
 		.await
 	{
-		return Err!(Request(Forbidden("You don't have permission to view the room state.")));
+		return Err!(Request(NotFound(debug_warn!(
+			"You don't have permission to view the room state."
+		))));
 	}
 
 	let event = services
@@ -316,14 +318,14 @@ async fn allowed_to_send_state_event(
 							services.rooms.alias.resolve_alias(&alias, None).await?;
 
 						if alias_room_id != room_id {
-							return Err!(Request(Forbidden(
+							return Err!(Request(Unknown(
 								"Room alias {alias} does not belong to room {room_id}"
 							)));
 						}
 					}
 				},
 				| Err(e) => {
-					return Err!(Request(BadJson(debug_warn!(
+					return Err!(Request(InvalidParam(debug_warn!(
 						"Room canonical alias event is invalid: {e}"
 					))));
 				},