diff --git a/pkg/web/handler/core.go b/pkg/web/handler/core.go
new file mode 100644
index 000000000..b4cfb9d29
--- /dev/null
+++ b/pkg/web/handler/core.go
@@ -0,0 +1,68 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-present Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package handler
+
+import (
+	"context"
+	"net/http"
+
+	"code.vikunja.io/api/pkg/db"
+	"code.vikunja.io/api/pkg/events"
+	"code.vikunja.io/api/pkg/log"
+	"code.vikunja.io/api/pkg/web"
+
+	"github.com/labstack/echo/v5"
+)
+
+// DoCreate runs the permission check + model Create + commit pipeline for a
+// CObject. Framework-agnostic: callable from both Echo (CreateWeb) and Huma.
+// Caller is responsible for body/path binding and validation before calling.
+func DoCreate(_ context.Context, obj CObject, a web.Auth) error {
+	s := db.NewSession()
+	defer func() {
+		if err := s.Close(); err != nil {
+			log.Errorf("Could not close session: %s", err)
+		}
+	}()
+
+	canCreate, err := obj.CanCreate(s, a)
+	if err != nil {
+		_ = s.Rollback()
+		events.CleanupPending(s)
+		return err
+	}
+	if !canCreate {
+		_ = s.Rollback()
+		events.CleanupPending(s)
+		log.Warningf("Tried to create while not having the permissions for it (User: %v)", a)
+		return echo.NewHTTPError(http.StatusForbidden, "Forbidden")
+	}
+
+	if err := obj.Create(s, a); err != nil {
+		_ = s.Rollback()
+		events.CleanupPending(s)
+		return err
+	}
+
+	if err := s.Commit(); err != nil {
+		events.CleanupPending(s)
+		return err
+	}
+
+	events.DispatchPending(s)
+	return nil
+}
diff --git a/pkg/web/handler/core_test.go b/pkg/web/handler/core_test.go
new file mode 100644
index 000000000..c21578914
--- /dev/null
+++ b/pkg/web/handler/core_test.go
@@ -0,0 +1,42 @@
+// Vikunja is a to-do list application to facilitate your life.
+// Copyright 2018-present Vikunja and contributors. All rights reserved.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package handler
+
+import (
+	"context"
+	"testing"
+
+	"code.vikunja.io/api/pkg/db"
+	"code.vikunja.io/api/pkg/models"
+	"code.vikunja.io/api/pkg/user"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// TestDoCreate_HappyPath creates a label through the framework-agnostic
+// core and proves the row lands in the DB.
+func TestDoCreate_HappyPath(t *testing.T) {
+	db.LoadAndAssertFixtures(t)
+	u := &user.User{ID: 1}
+
+	label := &models.Label{Title: "spike-label"}
+	err := DoCreate(context.Background(), label, u)
+	require.NoError(t, err)
+	assert.NotZero(t, label.ID)
+	assert.Equal(t, int64(1), label.CreatedByID)
+}
diff --git a/pkg/web/handler/create.go b/pkg/web/handler/create.go
index 5f2bd5acd..31c9d17a3 100644
--- a/pkg/web/handler/create.go
+++ b/pkg/web/handler/create.go
@@ -21,8 +21,6 @@ import (
 	"fmt"
 	"net/http"
 
-	"code.vikunja.io/api/pkg/db"
-	"code.vikunja.io/api/pkg/events"
 	"code.vikunja.io/api/pkg/log"
 	"code.vikunja.io/api/pkg/models"
 	"code.vikunja.io/api/pkg/modules/auth"
@@ -56,44 +54,9 @@ func (c *WebHandler) CreateWeb(ctx *echo.Context) error {
 		return echo.NewHTTPError(http.StatusInternalServerError, "Could not determine the current user.").Wrap(err)
 	}
 
-	// Create the db session
-	s := db.NewSession()
-	defer func() {
-		err = s.Close()
-		if err != nil {
-			log.Errorf("Could not close session: %s", err)
-		}
-	}()
-
-	// Check permissions
-	canCreate, err := currentStruct.CanCreate(s, currentAuth)
-	if err != nil {
-		_ = s.Rollback()
-		events.CleanupPending(s)
+	if err := DoCreate(ctx.Request().Context(), currentStruct, currentAuth); err != nil {
 		return err
 	}
-	if !canCreate {
-		_ = s.Rollback()
-		events.CleanupPending(s)
-		log.Warningf("Tried to create while not having the permissions for it (User: %v)", currentAuth)
-		return echo.NewHTTPError(http.StatusForbidden, "Forbidden")
-	}
-
-	// Create
-	err = currentStruct.Create(s, currentAuth)
-	if err != nil {
-		_ = s.Rollback()
-		events.CleanupPending(s)
-		return err
-	}
-
-	err = s.Commit()
-	if err != nil {
-		events.CleanupPending(s)
-		return err
-	}
-
-	events.DispatchPending(s)
 
 	return ctx.JSON(http.StatusCreated, currentStruct)
 }