diff --git a/api/Cargo.toml b/api/Cargo.toml
index d102cb2..ac54819 100644
--- a/api/Cargo.toml
+++ b/api/Cargo.toml
@@ -7,6 +7,7 @@ publish = false
 [dependencies]
 rocket = { version = "^0.5.0-rc.2", features = [
   "json",
+  "secrets",
 ] }
 
 async-stream = { version = "^0.3" }
diff --git a/api/src/routes/admin.rs b/api/src/routes/admin.rs
index eeb3bd7..ee06626 100644
--- a/api/src/routes/admin.rs
+++ b/api/src/routes/admin.rs
@@ -5,7 +5,7 @@ use portfolio_core::{
     services::{admin_service::AdminService, candidate_service::CandidateService},
 };
 use requests::{AdminLoginRequest, RegisterRequest};
-use rocket::http::Status;
+use rocket::http::{Cookie, Status, CookieJar};
 use rocket::response::status::Custom;
 use rocket::serde::json::Json;
 
@@ -18,6 +18,7 @@ pub async fn login(
     conn: Connection<'_, Db>,
     login_form: Json<AdminLoginRequest>,
     ip_addr: SocketAddr,
+    cookies: &CookieJar<'_>,
 ) -> Result<String, Custom<String>> {
     let db = conn.into_inner();
     println!("{} {}", login_form.admin_id, login_form.password);
@@ -30,7 +31,18 @@ pub async fn login(
     )
     .await;
 
-    session_token.map_err(|e| Custom(Status::from_code(e.code()).unwrap_or_default(), e.message()))
+    if let Err(e) = session_token {
+        return Err(Custom(
+            Status::from_code(e.code()).unwrap_or(Status::InternalServerError),
+            e.to_string(),
+        ));
+    } else {
+        let session_token = session_token.unwrap();
+        // Todo: Add private?
+        cookies.add(Cookie::new("id", session_token.clone()));
+
+        return Ok(session_token);
+    }
 }
 
 #[get("/whoami")]
diff --git a/api/src/routes/candidate.rs b/api/src/routes/candidate.rs
index 2ff7623..ccdc0df 100644
--- a/api/src/routes/candidate.rs
+++ b/api/src/routes/candidate.rs
@@ -2,7 +2,7 @@ use std::net::SocketAddr;
 
 use portfolio_core::services::candidate_service::{CandidateService, UserDetails};
 use requests::LoginRequest;
-use rocket::http::Status;
+use rocket::http::{Cookie, CookieJar, Status};
 use rocket::response::status::Custom;
 use rocket::serde::json::Json;
 
@@ -15,6 +15,7 @@ pub async fn login(
     conn: Connection<'_, Db>,
     login_form: Json<LoginRequest>,
     ip_addr: SocketAddr,
+    cookies: &CookieJar<'_>,
 ) -> Result<String, Custom<String>> {
     let db = conn.into_inner();
     println!("{} {}", login_form.application_id, login_form.password);
@@ -27,9 +28,19 @@ pub async fn login(
     )
     .await;
 
-    session_token.map_err(|e| Custom(Status::from_code(e.code()).unwrap_or_default(), e.message()))
-}
+    if let Err(e) = session_token {
+        return Err(Custom(
+            Status::from_code(e.code()).unwrap_or(Status::InternalServerError),
+            e.to_string(),
+        ));
+    } else {
+        let session_token = session_token.unwrap();
+        // Todo: Add private?
+        cookies.add(Cookie::new("id", session_token.clone()));
 
+        return Ok(session_token);
+    }
+}
 
 #[get("/whoami")]
 pub async fn whoami(session: CandidateAuth) -> Result<String, Custom<String>> {
@@ -60,4 +71,3 @@ pub async fn fill_details(
 
     Ok("Details added".to_string())
 }
-