diff --git a/server/utils/dto.ts b/server/utils/dto.ts
index 035333a..2fa93ec 100644
--- a/server/utils/dto.ts
+++ b/server/utils/dto.ts
@@ -7,6 +7,7 @@ export interface TaskDto {
   description: string | null;
   source: string;
   consumed: boolean;
+  ownerId: string | null;
   createdAt: string;
 }
 
@@ -18,6 +19,7 @@ export function toTaskDto(row: TaskRow): TaskDto {
     description: row.description,
     source: row.source,
     consumed: row.consumed,
+    ownerId: row.owner_id,
     createdAt: new Date(row.created_at).toISOString(),
   };
 }
diff --git a/server/utils/session.ts b/server/utils/session.ts
new file mode 100644
index 0000000..d4a7da6
--- /dev/null
+++ b/server/utils/session.ts
@@ -0,0 +1,10 @@
+import { createError, type H3Event } from "h3";
+
+/** The authenticated caller's Zitadel sub — the ownership key for all row scoping. */
+export function ownerOf(event: H3Event): string {
+  const sub = (event.context.user as { sub?: unknown } | undefined)?.sub;
+  if (typeof sub !== "string" || !sub) {
+    throw createError({ statusCode: 401, statusMessage: "Unauthorized" });
+  }
+  return sub;
+}