diff --git a/crates/ezidam/src/routes/oauth/redirect.rs b/crates/ezidam/src/routes/oauth/redirect.rs
index 13822c4..e69d857 100644
--- a/crates/ezidam/src/routes/oauth/redirect.rs
+++ b/crates/ezidam/src/routes/oauth/redirect.rs
@@ -114,11 +114,20 @@ pub async fn redirect_page(
     // TODO: get user roles
     let roles = vec![];
 
+    // Access token duration in minutes
+    let access_token_duration = 15;
+
     // Create jwt, sign and serialize
     let jwt = JwtClaims::new(home_page.clone(), app.id().as_ref(), &user, roles)
-        .sign_serialize(&private_key)?;
+        .sign_serialize(&private_key, access_token_duration)?;
 
-    // TODO: store tokens in secure, http only cookies
+    // Add jwt as a cookie
+    let mut cookie = Cookie::new("access_token", jwt);
+    cookie.set_secure(true);
+    cookie.set_http_only(true);
+    cookie.set_same_site(SameSite::Strict);
+    cookie.set_max_age(Duration::minutes(access_token_duration));
+    cookie_jar.add(cookie);
 
     transaction.commit().await?;
 
diff --git a/crates/jwt/src/claims.rs b/crates/jwt/src/claims.rs
index 0da7ff5..04906c5 100644
--- a/crates/jwt/src/claims.rs
+++ b/crates/jwt/src/claims.rs
@@ -43,13 +43,13 @@ impl JwtClaims {
         }
     }
 
-    pub fn sign_serialize(self, key: &PrivateKey) -> Result<String, Error> {
+    pub fn sign_serialize(self, key: &PrivateKey, duration_minutes: i64) -> Result<String, Error> {
         let header = Header::default().with_key_id(key.id());
 
         let claims = Claims::<Self>::new(self);
 
         // Set duration
-        let duration = Duration::minutes(15);
+        let duration = Duration::minutes(duration_minutes);
         let time_options = TimeOptions::default();
         let claims = claims.set_duration_and_issuance(&time_options, duration);