diff --git a/auth.go b/auth.go
new file mode 100644
index 0000000..cfd753f
--- /dev/null
+++ b/auth.go
@@ -0,0 +1,61 @@
+package gpaste
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/golang-jwt/jwt"
+	"github.com/google/uuid"
+)
+
+type AuthService struct {
+	users      UserStore
+	hmacSecret []byte
+}
+
+func NewAuthService(store UserStore, signingSecret []byte) *AuthService {
+	return &AuthService{users: store, hmacSecret: signingSecret}
+}
+
+func (as *AuthService) Login(username, password string) (string, error) {
+	user, err := as.users.Get(username)
+	if err != nil {
+		return "", err
+	}
+
+	if err := user.ValidatePassword(password); err != nil {
+		return "", err
+	}
+
+	// TODO: Set iss and aud
+	claims := jwt.StandardClaims{
+		Subject:   user.Username,
+		ExpiresAt: time.Now().Add(7 * 24 * time.Hour).Unix(),
+		NotBefore: time.Now().Unix(),
+		IssuedAt:  time.Now().Unix(),
+		Id:        uuid.NewString(),
+	}
+
+	token := jwt.NewWithClaims(jwt.GetSigningMethod("HS256"), claims)
+	signed, err := token.SignedString(as.hmacSecret)
+	if err != nil {
+		return "", err
+	}
+
+	return signed, nil
+}
+
+func (as *AuthService) ValidateToken(rawToken string) error {
+	claims := &jwt.StandardClaims{}
+	token, err := jwt.ParseWithClaims(rawToken, claims, func(t *jwt.Token) (interface{}, error) {
+		return as.hmacSecret, nil
+	})
+	if err != nil {
+		return err
+	}
+	if !token.Valid {
+		return fmt.Errorf("invalid token")
+	}
+
+	return nil
+}
diff --git a/auth_test.go b/auth_test.go
new file mode 100644
index 0000000..0c98f7c
--- /dev/null
+++ b/auth_test.go
@@ -0,0 +1,39 @@
+package gpaste_test
+
+import (
+	"testing"
+
+	"git.t-juice.club/torjus/gpaste"
+)
+
+func TestAuth(t *testing.T) {
+	t.Run("Token", func(t *testing.T) {
+		us := gpaste.NewMemoryUserStore()
+		secret := []byte(randomString(16))
+		as := gpaste.NewAuthService(us, secret)
+
+		username := randomString(8)
+		password := randomString(16)
+
+		user := &gpaste.User{Username: username}
+		if err := user.SetPassword(password); err != nil {
+			t.Fatalf("error setting user password: %s", err)
+		}
+		if err := us.Store(user); err != nil {
+			t.Fatalf("Error storing user: %s", err)
+		}
+
+		token, err := as.Login(username, password)
+		if err != nil {
+			t.Fatalf("Error creating token: %s", err)
+		}
+
+		if err := as.ValidateToken(token); err != nil {
+			t.Fatalf("Error validating token: %s", err)
+		}
+		invalidToken := `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NDMyMjk3NjMsImp0aSI6ImUzNDk5NWI1LThiZmMtNDQyNy1iZDgxLWFmNmQ3OTRiYzM0YiIsImlhdCI6MTY0MjYyNDk2MywibmJmIjoxNjQyNjI0OTYzLCJzdWIiOiJYdE5Hemt5ZSJ9.VM6dkwSLaBv8cStkWRVVv9ADjdUrHGHrlB7GB7Ly7n8`
+		if err := as.ValidateToken(invalidToken); err == nil {
+			t.Fatalf("Invalid token passed validation")
+		}
+	})
+}
diff --git a/go.mod b/go.mod
index 6c30a0c..cad0232 100644
--- a/go.mod
+++ b/go.mod
@@ -7,10 +7,13 @@ require github.com/google/uuid v1.3.0
 require github.com/go-chi/chi/v5 v5.0.7
 
 require (
+	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/google/go-cmp v0.5.6
 	github.com/pelletier/go-toml v1.9.4
 	github.com/urfave/cli/v2 v2.3.0
+	go.etcd.io/bbolt v1.3.6
 	go.uber.org/zap v1.20.0
+	golang.org/x/crypto v0.0.0-20220112180741-5e0467b6c7ce
 )
 
 require (
@@ -18,4 +21,5 @@ require (
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
 	go.uber.org/multierr v1.7.0 // indirect
+	golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 // indirect
 )
diff --git a/go.sum b/go.sum
index 04ac49e..8d8abd7 100644
--- a/go.sum
+++ b/go.sum
@@ -9,6 +9,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/go-chi/chi/v5 v5.0.7 h1:rDTPXLDHGATaeHvVlLcR4Qe0zftYethFucbjVQ1PxU8=
 github.com/go-chi/chi/v5 v5.0.7/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
+github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/google/go-cmp v0.5.6 h1:BKbKCqvP6I+rmFHt06ZmyQtvB8xAkWdhFyr0ZUNZcxQ=
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
@@ -33,6 +35,8 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/urfave/cli/v2 v2.3.0 h1:qph92Y649prgesehzOrQjdWyxFOp/QVM+6imKHad91M=
 github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
+go.etcd.io/bbolt v1.3.6 h1:/ecaJf0sk1l4l6V4awd65v2C3ILy7MSj+s/x1ADCIMU=
+go.etcd.io/bbolt v1.3.6/go.mod h1:qXsaaIqmgQH0T+OPdb99Bf+PKfBBQVAdyD6TY9G8XM4=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
@@ -45,22 +49,31 @@ go.uber.org/zap v1.20.0 h1:N4oPlghZwYG55MlU6LXk/Zp00FVNE9X9wrYO8CEs4lc=
 go.uber.org/zap v1.20.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20220112180741-5e0467b6c7ce h1:Roh6XWxHFKrPgC/EQhVubSAGQ6Ozk6IdxHSzt1mR0EI=
+golang.org/x/crypto v0.0.0-20220112180741-5e0467b6c7ce/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
 golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200923182605-d9f96fdee20d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 h1:XfKQ4OlFl8okEOr5UvAqFRVj8pY/4yfcXrddB8qAbU0=
+golang.org/x/sys v0.0.0-20220114195835-da31bd327af9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
diff --git a/user.go b/user.go
new file mode 100644
index 0000000..ff91e44
--- /dev/null
+++ b/user.go
@@ -0,0 +1,27 @@
+package gpaste
+
+import "golang.org/x/crypto/bcrypt"
+
+type User struct {
+	Username       string `json:"username"`
+	HashedPassword []byte `json:"hashed_password"`
+}
+
+type UserStore interface {
+	Get(username string) (*User, error)
+	Store(user *User) error
+	Delete(username string) error
+}
+
+func (u *User) ValidatePassword(password string) error {
+	return bcrypt.CompareHashAndPassword(u.HashedPassword, []byte(password))
+}
+
+func (u *User) SetPassword(password string) error {
+	hashed, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return err
+	}
+	u.HashedPassword = hashed
+	return nil
+}
diff --git a/user_test.go b/user_test.go
new file mode 100644
index 0000000..5855e68
--- /dev/null
+++ b/user_test.go
@@ -0,0 +1,37 @@
+package gpaste_test
+
+import (
+	"math/rand"
+	"testing"
+
+	"git.t-juice.club/torjus/gpaste"
+)
+
+func TestUser(t *testing.T) {
+	t.Run("Password", func(t *testing.T) {
+		userMap := make(map[string]string)
+		for i := 0; i < 10; i++ {
+			userMap[randomString(8)] = randomString(16)
+		}
+
+		for username, password := range userMap {
+			user := &gpaste.User{Username: username}
+			if err := user.SetPassword(password); err != nil {
+				t.Fatalf("Error setting password: %s", err)
+			}
+			if err := user.ValidatePassword(password); err != nil {
+				t.Fatalf("Error validating password: %s", err)
+			}
+		}
+	})
+}
+
+func randomString(length int) string {
+	const charset = "abcdefghijklmnopqrstabcdefghijklmnopqrstuvwxyz" +
+		"ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+	b := make([]byte, length)
+	for i := range b {
+		b[i] = charset[rand.Intn(len(charset))]
+	}
+	return string(b)
+}
diff --git a/userstore_bolt.go b/userstore_bolt.go
new file mode 100644
index 0000000..c0c87e9
--- /dev/null
+++ b/userstore_bolt.go
@@ -0,0 +1,69 @@
+package gpaste
+
+import (
+	"encoding/json"
+
+	"go.etcd.io/bbolt"
+)
+
+var keyUsers = []byte("users")
+
+type BoltUserStore struct {
+	db *bbolt.DB
+}
+
+func NewBoltUserStore(path string) (*BoltUserStore, error) {
+	db, err := bbolt.Open(path, 0666, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := db.Update(func(tx *bbolt.Tx) error {
+		_, err := tx.CreateBucketIfNotExists(keyUsers)
+		return err
+	}); err != nil {
+		return nil, err
+	}
+
+	return &BoltUserStore{db: db}, nil
+}
+
+func (s *BoltUserStore) Close() error {
+	return s.db.Close()
+}
+
+func (s *BoltUserStore) Get(username string) (*User, error) {
+	var user User
+	err := s.db.View(func(tx *bbolt.Tx) error {
+		bkt := tx.Bucket(keyUsers)
+		rawUser := bkt.Get([]byte(username))
+		if err := json.Unmarshal(rawUser, &user); err != nil {
+			return err
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	return &user, nil
+}
+
+func (s *BoltUserStore) Store(user *User) error {
+	return s.db.Update(func(tx *bbolt.Tx) error {
+		bkt := tx.Bucket(keyUsers)
+
+		data, err := json.Marshal(user)
+		if err != nil {
+			return err
+		}
+
+		return bkt.Put([]byte(user.Username), data)
+	})
+}
+
+func (s *BoltUserStore) Delete(username string) error {
+	return s.db.Update(func(tx *bbolt.Tx) error {
+		bkt := tx.Bucket(keyUsers)
+		return bkt.Delete([]byte(username))
+	})
+}
diff --git a/userstore_bolt_test.go b/userstore_bolt_test.go
new file mode 100644
index 0000000..4600443
--- /dev/null
+++ b/userstore_bolt_test.go
@@ -0,0 +1,27 @@
+package gpaste_test
+
+import (
+	"path/filepath"
+	"testing"
+
+	"git.t-juice.club/torjus/gpaste"
+)
+
+func TestBoltUserStore(t *testing.T) {
+	tmpDir := t.TempDir()
+	newFunc := func() (func(), gpaste.UserStore) {
+		tmpFile := filepath.Join(tmpDir, randomString(8))
+
+		store, err := gpaste.NewBoltUserStore(tmpFile)
+		if err != nil {
+			t.Fatalf("Error creating store: %s", err)
+		}
+		cleanup := func() {
+			store.Close()
+		}
+		return cleanup, store
+	}
+
+	RunUserStoreTest(newFunc, t)
+
+}
diff --git a/userstore_memory.go b/userstore_memory.go
new file mode 100644
index 0000000..33811a0
--- /dev/null
+++ b/userstore_memory.go
@@ -0,0 +1,39 @@
+package gpaste
+
+import (
+	"fmt"
+	"sync"
+)
+
+type MemoryUserStore struct {
+	users map[string]*User
+	lock  sync.Mutex
+}
+
+func NewMemoryUserStore() *MemoryUserStore {
+	return &MemoryUserStore{users: make(map[string]*User)}
+}
+func (s *MemoryUserStore) Get(username string) (*User, error) {
+	s.lock.Lock()
+	defer s.lock.Unlock()
+	user, ok := s.users[username]
+	if !ok {
+		return nil, fmt.Errorf("no such user: %s", username)
+	}
+
+	return user, nil
+}
+
+func (s *MemoryUserStore) Store(user *User) error {
+	s.lock.Lock()
+	defer s.lock.Unlock()
+	s.users[user.Username] = user
+	return nil
+}
+
+func (s *MemoryUserStore) Delete(username string) error {
+	s.lock.Lock()
+	defer s.lock.Unlock()
+	delete(s.users, username)
+	return nil
+}
diff --git a/userstore_memory_test.go b/userstore_memory_test.go
new file mode 100644
index 0000000..f044e82
--- /dev/null
+++ b/userstore_memory_test.go
@@ -0,0 +1,15 @@
+package gpaste_test
+
+import (
+	"testing"
+
+	"git.t-juice.club/torjus/gpaste"
+)
+
+func TestMemoryUserStore(t *testing.T) {
+	newFunc := func() (func(), gpaste.UserStore) {
+		return func() {}, gpaste.NewMemoryUserStore()
+	}
+
+	RunUserStoreTest(newFunc, t)
+}
diff --git a/userstore_test.go b/userstore_test.go
new file mode 100644
index 0000000..5b74d09
--- /dev/null
+++ b/userstore_test.go
@@ -0,0 +1,41 @@
+package gpaste_test
+
+import (
+	"testing"
+
+	"git.t-juice.club/torjus/gpaste"
+)
+
+func RunUserStoreTest(newFunc func() (func(), gpaste.UserStore), t *testing.T) {
+	t.Run("Basics", func(t *testing.T) {
+		cleanup, s := newFunc()
+		t.Cleanup(cleanup)
+
+		userMap := make(map[string]string)
+		for i := 0; i < 10; i++ {
+			userMap[randomString(8)] = randomString(16)
+		}
+
+		for k, v := range userMap {
+			user := &gpaste.User{
+				Username: k,
+			}
+			if err := user.SetPassword(v); err != nil {
+				t.Fatalf("Error setting password: %s", err)
+			}
+			if err := s.Store(user); err != nil {
+				t.Fatalf("Error storing user: %s", err)
+			}
+		}
+
+		for k, v := range userMap {
+			user, err := s.Get(k)
+			if err != nil {
+				t.Errorf("Error getting user: %s", err)
+			}
+			if err := user.ValidatePassword(v); err != nil {
+				t.Errorf("Error verifying password: %s", err)
+			}
+		}
+	})
+}