diff --git a/backend/config/auth/auth.login.js b/backend/config/auth/auth.login.js
index 4326af119c44a5729a1ddf2bee902922a0c2a530..81a21c4e1c31ba4f9f7b8bbdd02f98b36af33527 100644
--- a/backend/config/auth/auth.login.js
+++ b/backend/config/auth/auth.login.js
@@ -1,10 +1,14 @@
 // library useful for development
 const passport = require("passport");
+const jwt = require("jsonwebtoken");
 
 // function to handle the login process
 const casLogin = function (req, res, next) {
   console.log("Beginning log in....");
 
+  // hard-coded for now.
+  const JWT_SECRET = "secret_key";
+
   // call the authenticate function with CAS
   passport.authenticate("cas", function (err, user, info) {
     if (err) {
@@ -12,11 +16,10 @@ const casLogin = function (req, res, next) {
       return next(err);
     }
 
-    // redirect to a /check page if the user is not found
+    // return 401 if user not found
     if (!user) {
-      // TODO: figure this out
       console.log("User not found: ", user);
-      return res.redirect("/userNotFound");
+      return res.status(401).json({ message: "Authentication failed." });
     }
 
     console.log("Found user");
@@ -29,19 +32,23 @@ const casLogin = function (req, res, next) {
         return next(err);
       }
 
-      // set a cookie to show the user is authenticated and their role
-      res.cookie("userAuthenticated", true, {
-        httpOnly: false,
-        sameSite: "Lax",
-      });
-      res.cookie("userPermission", user.permissionLevel || "guest", {
-        httpOnly: false,
-        sameSite: "Lax",
+      // payload for the JWT token
+      const payload = {
+        id: user.id,
+        role: user.permissionLevel || "guest",
+        username: user.username,
+      };
+
+      // sign the token with secret key
+      const token = jwt.sign(payload, JWT_SECRET, { expiresIn: "1h" });
+
+      // send the token to the frontend.
+      res.status(200).json({
+        message: "successfully authenticated.",
+        token: "token",
       });
 
-      console.log("Successfully authenticated.");
-      req.session.messages = "";
-      return res.redirect("/");
+      console.log("Successfully authenticated and generated token.");
     });
   })(req, res, next);
 };
diff --git a/backend/config/auth/authenticateJWT.js b/backend/config/auth/authenticateJWT.js
new file mode 100644
index 0000000000000000000000000000000000000000..47f4ebf5de50c270decd2e72100b3cddeed1787f
--- /dev/null
+++ b/backend/config/auth/authenticateJWT.js
@@ -0,0 +1,28 @@
+const jwt = require("jsonwebtoken");
+const JWT_SECRET = "secret_key";
+
+// Middleware to verify JWT
+const authenticateJWT = (req, res, next) => {
+  // Get token from Authorization header
+  const token = req.headers.authorization?.split(" ")[1];
+
+  // return early if no token provided
+  if (!token) {
+    return res
+      .status(403)
+      .json({ message: "Access denied. No token provided." });
+  }
+
+  // Verify the token
+  jwt.verify(token, JWT_SECRET, (err, user) => {
+    if (err) {
+      return res.status(403).json({ message: "Invalid or expired token." });
+    }
+
+    // Attach the decoded user information to the request
+    req.user = user;
+    next();
+  });
+};
+
+module.exports = authenticateJWT;
diff --git a/backend/index.js b/backend/index.js
index 98e7089d5f0d5b39786daf0a296179ed1f347150..4e1f27f91394138815c4a1f8287db5ae1f7c2581 100644
--- a/backend/index.js
+++ b/backend/index.js
@@ -2,6 +2,7 @@ const express = require("express");
 const session = require("express-session");
 const cors = require("cors");
 require("dotenv").config();
+const userRoutes = require("./routes/userRoutes");
 
 // create connection to db and initialize table schema
 const { pool } = require("./config/database/database.config");
@@ -45,6 +46,7 @@ app.use(function (req, res, next) {
 
 // import routes
 require("./config/auth/auth.routes")(app);
+app.use("/api/user", userRoutes);
 
 // Basic route to check if server is running
 app.get("/api", (req, res) => {
diff --git a/backend/package.json b/backend/package.json
index 558548d933f170aa808b663d4f5ec90ee40e8ba9..cee6d41ac13c932cb1b04c7deea523b01467cd7d 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -14,6 +14,7 @@
     "dotenv": "^16.4.5",
     "express": "^4.21.0",
     "express-session": "^1.18.1",
+    "jsonwebtoken": "^9.0.2",
     "mysql2": "^3.11.3",
     "nodemon": "^3.1.7",
     "passport": "^0.7.0",
diff --git a/backend/routes/userRoutes.js b/backend/routes/userRoutes.js
index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..d6e06575fc2ce2e9231c64cde56752cb8b0254f6 100644
--- a/backend/routes/userRoutes.js
+++ b/backend/routes/userRoutes.js
@@ -0,0 +1,27 @@
+const express = require("express");
+const userRouter = express.Router();
+const authenticateJWT = require("../config/auth/authenticateJWT");
+
+// public route, no need to check for token
+userRouter.get("/public", (req, res) => {
+  res.status(200).json({
+    message: "Public user route. No token required",
+  });
+});
+
+// route that only admins can use, must check token
+userRouter.get("/admin", authenticateJWT, (req, res) => {
+  console.log("user: ", req.user);
+  if (req.user.role !== "admin") {
+    return res.status(403).json({
+      message: "User is not an admin",
+      user: req.user,
+    });
+  }
+
+  res.status(200).json({
+    message: "Admin content shown bc JWT token was shown to belong to an admin",
+  });
+});
+
+module.exports = userRouter;