diff --git a/Cargo.lock b/Cargo.lock
index 7fbfdfa..36e5f92 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -157,13 +157,24 @@ dependencies = [
  "version_check",
 ]
 
+[[package]]
+name = "cookie"
+version = "0.17.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7efb37c3e1ccb1ff97164ad95ac1606e8ccd35b3fa0a7d99a304c7f4a428cc24"
+dependencies = [
+ "percent-encoding",
+ "time",
+ "version_check",
+]
+
 [[package]]
 name = "cookie_store"
 version = "0.16.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d606d0fba62e13cf04db20536c05cb7f13673c161cb47a47a82b9b9e7d3f1daa"
 dependencies = [
- "cookie",
+ "cookie 0.16.2",
  "idna 0.2.3",
  "log",
  "publicsuffix",
@@ -180,7 +191,7 @@ version = "0.19.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d5a18f35792056f8c7c2de9c002e7e4fe44c7b5f66e7d99f46468dbb730a7ea7"
 dependencies = [
- "cookie",
+ "cookie 0.16.2",
  "idna 0.3.0",
  "log",
  "publicsuffix",
@@ -291,6 +302,17 @@ version = "0.3.28"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4bca583b7e26f571124fe5b7561d49cb2868d79116cfa0eefce955557c6fee8c"
 
+[[package]]
+name = "futures-macro"
+version = "0.3.28"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "89ca545a94061b6365f2c7355b4b32bd20df3ff95f02da9329b34ccc3bd6ee72"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "futures-sink"
 version = "0.3.28"
@@ -310,9 +332,11 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "26b01e40b772d54cf6c6d721c1d1abd0647a0106a12ecaa1c186273392a69533"
 dependencies = [
  "futures-core",
+ "futures-macro",
  "futures-task",
  "pin-project-lite",
  "pin-utils",
+ "slab",
 ]
 
 [[package]]
@@ -392,7 +416,7 @@ version = "0.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7e7d56c0f391b27f6b4186e9ad7dad17c2f80329a8a409312a6e7622a25379f3"
 dependencies = [
- "cookie",
+ "cookie 0.16.2",
  "http",
  "reqwest",
  "reqwest_cookie_store",
@@ -543,6 +567,7 @@ dependencies = [
  "serde",
  "serde_json",
  "tokio",
+ "tower-cookies",
  "tower-http",
 ]
 
@@ -833,7 +858,7 @@ checksum = "cde824a14b7c14f85caff81225f411faacc04a2013f41670f41443742b1c1c55"
 dependencies = [
  "base64",
  "bytes",
- "cookie",
+ "cookie 0.16.2",
  "cookie_store 0.16.2",
  "encoding_rs",
  "futures-core",
@@ -871,7 +896,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "06b407c05de7a0f7e4cc2a56af5e9bd6468e509124e81078ce1f8bc2ed3536bf"
 dependencies = [
  "bytes",
- "cookie",
+ "cookie 0.16.2",
  "cookie_store 0.19.1",
  "reqwest",
  "url",
@@ -1197,6 +1222,23 @@ dependencies = [
  "tracing",
 ]
 
+[[package]]
+name = "tower-cookies"
+version = "0.9.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "40f38d941a2ffd8402b36e02ae407637a9caceb693aaf2edc910437db0f36984"
+dependencies = [
+ "async-trait",
+ "axum-core",
+ "cookie 0.17.0",
+ "futures-util",
+ "http",
+ "parking_lot",
+ "pin-project-lite",
+ "tower-layer",
+ "tower-service",
+]
+
 [[package]]
 name = "tower-http"
 version = "0.4.1"
diff --git a/Cargo.toml b/Cargo.toml
index 6b8f7bb..752b438 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -11,6 +11,7 @@ axum = "0.6.18"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1"
 tower-http = { version = "0.4.1", features = ["fs"] }
+tower-cookies = "0.9"
 
 [dev-dependencies]
 anyhow = "1"
diff --git a/src/main.rs b/src/main.rs
index e47b1c9..9cbd153 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -12,6 +12,7 @@ use axum::{middleware, Json, Router};
 use axum::Server;
 use serde::Deserialize;
 use tower_http::services::ServeDir;
+use tower_cookies::CookieManagerLayer;
 
 
 mod error;
@@ -28,6 +29,7 @@ async fn main() {
         .merge(routes_hello())
         .merge(web::routes_login::routes())
         .layer(middleware::map_response(main_response_mapper))
+        .layer(CookieManagerLayer::new())
         .fallback_service(routes_static());
 
     let addr = SocketAddr::from(([127, 0, 0, 1], 3000));
diff --git a/src/web/mod.rs b/src/web/mod.rs
index c38370a..8c933c3 100644
--- a/src/web/mod.rs
+++ b/src/web/mod.rs
@@ -1 +1,3 @@
 pub mod routes_login;
+
+pub const AUTH_TOKEN: &str = "auth-token";
diff --git a/src/web/routes_login.rs b/src/web/routes_login.rs
index 063fba0..5de8e4e 100644
--- a/src/web/routes_login.rs
+++ b/src/web/routes_login.rs
@@ -1,21 +1,23 @@
-use crate::{Error, Result};
+use crate::{Error, Result, web};
 use axum::{Json, Router};
 use axum::routing::post;
 use serde::Deserialize;
 use serde_json::{json, Value};
+use tower_cookies::{Cookie, Cookies};
 
 pub fn routes() -> Router {
     Router::new().route("/api/login", post(api_login))
 }
 
-async fn api_login(payload: Json<LoginPayload>) -> Result<Json<Value>>{
+async fn api_login(cookies: Cookies, payload: Json<LoginPayload>) -> Result<Json<Value>>{
     println!("->> {:<12} - api_login", "HANDLER");
 
     if payload.username != "demo1" || payload.password != "demo1" {
         return Err(Error::LoginFail);
     }
 
-    // TODO: Set cookies
+    // FIXME: Implement real auth-token generation/signature.
+    cookies.add(Cookie::new(web::AUTH_TOKEN, "user-1.exp.sign"));
     
     let body = Json(json!({
         "result": {
diff --git a/tests/quick_dev.rs b/tests/quick_dev.rs
index d32c37a..6e4b042 100644
--- a/tests/quick_dev.rs
+++ b/tests/quick_dev.rs
@@ -27,5 +27,7 @@ async fn test_quick_dev() -> Result<()> {
         );
     req_login.await?.print().await?;
 
+    hc.do_get("/hello2/mike").await?.print().await?;
+
     Ok(())
 }