diff --git a/controllers/userController.go b/controllers/userController.go
new file mode 100644
index 0000000..7c76033
--- /dev/null
+++ b/controllers/userController.go
@@ -0,0 +1,144 @@
+package controllers
+
+import(
+	"os"
+	"time"
+	"net/http"
+	"golang.org/x/crypto/bcrypt"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/gin-gonic/gin"
+	"gorm.io/gorm"
+
+	"example.com/gin/test/models"
+)	
+
+
+type UserController struct {
+	DB *gorm.DB
+}
+
+func NewUserController(db *gorm.DB) UserController {
+	return UserController{
+		DB: db,
+	}
+}
+
+
+func (uc *UserController) Signup(c *gin.Context) {
+	//Get the email/passwd off req body
+	var body struct {
+		Email string
+		Password string
+	}
+
+	err := c.Bind(&body)
+
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{
+			"error": "Failed to read body",
+		})
+
+		return
+	}
+
+	//hash pw
+	hash, err := bcrypt.GenerateFromPassword([]byte(body.Password), 10)
+
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{
+			"error": "Failed to hash password",
+		})
+
+		return
+	}
+
+	//create user
+	user := models.User{Email: body.Email, Password: string(hash)}
+	result := uc.DB.Create(&user)
+
+	if result.Error != nil {
+		c.JSON(http.StatusBadRequest, gin.H{
+			"error": "Failed to create user",
+		})
+
+		return
+	}
+
+
+	//respond
+	c.JSON(http.StatusOK, gin.H{})
+}
+
+
+func (uc *UserController) Login(c *gin.Context) {
+	//Get the email/passwd off req body
+	var body struct {
+		Email string
+		Password string
+	}
+
+	err := c.Bind(&body)
+
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{
+			"error": "Failed to read body",
+		})
+
+		return
+	}
+
+	//lookup requested user
+	var user models.User
+	result := uc.DB.First(&user, "email = ?", body.Email)
+
+	if result.Error != nil {
+		c.JSON(http.StatusBadRequest, gin.H{
+			"error": "Invalid email or password",
+		})
+
+		return
+	}
+
+	// compare sent with saved pass
+	err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(body.Password))
+
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{
+			"error": "Invalid email or password",
+		})
+
+		return
+	}
+
+	//generate jwt token
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+		"sub": user.ID,
+		"exp": time.Now().Add(time.Hour * 24).Unix(),
+	})
+
+	// Sign and get the complete encoded token as a string using the secret
+	tokenString, err := token.SignedString([]byte(os.Getenv("SECRET")))
+
+	if err != nil {
+		c.JSON(http.StatusBadRequest, gin.H{
+			"error": "Failed to create token",
+		})
+
+		return
+	}
+
+	// send it back
+	c.SetSameSite(http.SameSiteLaxMode)
+	c.SetCookie("Authorization", tokenString, 3600 * 24, "", "", false, true)
+
+	c.JSON(http.StatusOK, gin.H{})
+}
+
+func (uc *UserController) Validate(c *gin.Context) {
+	user, _ := c.Get("user")
+
+	c.JSON(http.StatusOK, gin.H{
+		"message": user,
+	})
+}
diff --git a/go.mod b/go.mod
index a189d94..3024fee 100644
--- a/go.mod
+++ b/go.mod
@@ -4,6 +4,9 @@ go 1.23.3
 
 require (
 	github.com/gin-gonic/gin v1.10.0
+	github.com/golang-jwt/jwt/v5 v5.2.1
+	github.com/joho/godotenv v1.5.1
+	golang.org/x/crypto v0.23.0
 	gorm.io/driver/sqlite v1.5.7
 	gorm.io/gorm v1.25.12
 )
@@ -32,7 +35,6 @@ require (
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.12 // indirect
 	golang.org/x/arch v0.8.0 // indirect
-	golang.org/x/crypto v0.23.0 // indirect
 	golang.org/x/net v0.25.0 // indirect
 	golang.org/x/sys v0.20.0 // indirect
 	golang.org/x/text v0.15.0 // indirect
diff --git a/go.sum b/go.sum
index e44ef78..030a4a2 100644
--- a/go.sum
+++ b/go.sum
@@ -25,6 +25,8 @@ github.com/go-playground/validator/v10 v10.20.0 h1:K9ISHbSaI0lyB2eWMPJo+kOS/FBEx
 github.com/go-playground/validator/v10 v10.20.0/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
 github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
 github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -32,6 +34,8 @@ github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
+github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
+github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
diff --git a/main.go b/main.go
index fef2829..d25159c 100644
--- a/main.go
+++ b/main.go
@@ -4,23 +4,32 @@ import(
 	"os"
 	"io"
 	"net/http"
+	"fmt"
 
 	"gorm.io/gorm"
 	"gorm.io/driver/sqlite"
 	"github.com/gin-gonic/gin"
+	"github.com/joho/godotenv"
 
-	"example.com/gin/test/services"
 	"example.com/gin/test/controllers"
 	"example.com/gin/test/models"
-	//"example.com/gin/test/middlewares"
+	"example.com/gin/test/middlewares"
 )
 
 var(
-	videoService services.VideoService = services.New()
-	videoController controllers.VideoController = controllers.New(videoService)
 	roomController controllers.RoomController
+	userController controllers.UserController
+	autoValidator middlewares.AuthValidator
 )
 
+func LoadEnvVariables() {
+	err := godotenv.Load(".env")
+
+	if err != nil {
+		fmt.Println("Error loading .env file")
+	}
+}
+
 func setupLogOutput() {
 	f, _ := os.Create("gin.log")
 	gin.DefaultWriter = io.MultiWriter(f, os.Stdout)
@@ -35,7 +44,9 @@ func SetReply(ctx *gin.Context, err error, message any) {
 }
 
 func main() {
-	db, err := gorm.Open(sqlite.Open("test.db"), &gorm.Config{})
+	LoadEnvVariables()
+
+	db, err := gorm.Open(sqlite.Open(os.Getenv("SQLITE_DB")), &gorm.Config{})
 	if err != nil {
 		panic("failed to connect to database")
 	}
@@ -46,6 +57,8 @@ func main() {
 	}
 
 	roomController = controllers.NewRoomController(db)
+	userController = controllers.NewUserController(db)
+	authValidator := middlewares.AuthValidator{ DB: db, }
 
 	server := gin.New()
 	server.Use(gin.Recovery())
@@ -62,12 +75,11 @@ func main() {
 		apiRoutes.GET("/rooms/:id", roomController.GetById)
 		apiRoutes.PUT("/rooms/:id", roomController.Update)
 		apiRoutes.DELETE("/rooms/:id", roomController.Delete)
+
+		apiRoutes.POST("/users/signup", userController.Signup)
+		apiRoutes.POST("/users/login", userController.Login)
+		apiRoutes.GET("/users/validate", authValidator.RequireAuth, userController.Validate)
 	}
 
-	viewRoutes := server.Group("/")
-	{
-		viewRoutes.GET("/videos", videoController.ShowAll)
-	}
-
-	server.Run(":8080")
+	server.Run(":"+os.Getenv("PORT"))
 }
diff --git a/middlewares/requireAuth.go b/middlewares/requireAuth.go
new file mode 100644
index 0000000..442bc04
--- /dev/null
+++ b/middlewares/requireAuth.go
@@ -0,0 +1,70 @@
+package middlewares
+
+import(
+	"os"
+	"fmt"
+	"time"
+	"net/http"
+	"github.com/gin-gonic/gin"
+	"github.com/golang-jwt/jwt/v5"
+	"gorm.io/gorm"
+
+	"example.com/gin/test/models"
+)
+
+type AuthValidator struct {
+	DB *gorm.DB
+}
+
+func (av *AuthValidator) RequireAuth(c *gin.Context) {
+	// Get Cookie
+	tokenString, err := c.Cookie("Authorization")
+
+	if err != nil {
+		c.AbortWithStatus(http.StatusUnauthorized)
+		return
+	}
+
+	//Validate
+	token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+		// Don't forget to validate the alg is what you expect:
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
+		}
+
+		// hmacSampleSecret is a []byte containing your secret, e.g. []byte("my_secret_key")
+		return []byte(os.Getenv("SECRET")), nil
+	})
+
+	if err != nil {
+		c.AbortWithStatus(http.StatusUnauthorized)
+		return
+	}
+	
+	if claims, ok := token.Claims.(jwt.MapClaims); ok {
+		//Check Expiration
+		if float64(time.Now().Unix()) > claims["exp"].(float64) {
+			//expired
+			c.AbortWithStatus(http.StatusUnauthorized)
+			return
+		}
+		
+		//Find user
+		var user models.User
+		result := av.DB.First(&user, claims["sub"])
+
+		if result.Error != nil {
+			c.AbortWithStatus(http.StatusUnauthorized)
+			return
+		}
+	
+		//Attach to req
+		c.Set("user", user)
+	
+		// Coninue
+		c.Next()
+		return
+	}
+	
+	c.AbortWithStatus(http.StatusUnauthorized)
+}