diff --git a/project/api/views.py b/project/api/views.py
index 351785e..b071823 100644
--- a/project/api/views.py
+++ b/project/api/views.py
@@ -1,4 +1,5 @@
 # models
+from http.client import HTTPResponse
 from django.contrib.auth.models import User
 from .models import Project, Agency, Route
 # serializers
@@ -43,17 +44,45 @@ class AuthViewSet(viewsets.ViewSet):
     
     def create(self, request):
         username = request.data.get('username')
+        password = request.data.get('password')
+
         user = User.objects.filter(username = username).first()
+        is_correct = user.check_password(password)
+        if not is_correct:
+            raise PermissionDenied
+
         now = datetime.datetime.utcnow()
         payload = {
             'exp': now + datetime.timedelta(hours=1),
             'user_id': user.id
         }
         token = jwt.encode(payload, private_key, algorithm="HS256")
-        return Response({ 'token': token })
+        response = Response({ 'token': token })
+        response.set_cookie('token', token)
+        return response
+    
+    @action(detail=False, methods=['get'])
+    def info(self, request, pk=None):
+        token = request.COOKIES.get('token')
+        if not token:
+            raise PermissionDenied
+        decode = jwt.decode(token, private_key, algorithms= ["HS256"])
+
+        user = User.objects.filter(id = decode.get('user_id')).values().first()
+        if (user == None):
+            raise PermissionDenied
+        
+        return Response({
+            'id': user.get('id'),
+            'username': user.get('username'),
+            'first_name': user.get('first_name'),
+            'last_name': user.get('last_name'),
+            'email': user.get('email'),
+            'token': token,
+        })
     
     @action(detail=False, methods=['post'])
-    def info(self, request, pk=None):
+    def set_token(self, request, pk=None):
         token = request.data.get('token')
         decode = jwt.decode(token, private_key, algorithms= ["HS256"])
 
@@ -67,4 +96,11 @@ class AuthViewSet(viewsets.ViewSet):
             'first_name': user.get('first_name'),
             'last_name': user.get('last_name'),
             'email': user.get('email'),
-        })
\ No newline at end of file
+            'token': token,
+        })
+
+    @action(detail=False, methods=['post'])
+    def logout(self, request, pk=None):
+        response = Response()
+        response.delete_cookie('token')
+        return response