diff --git a/src/main.rs b/src/main.rs
index f65bbb1..c84cb0e 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -91,7 +91,13 @@ async fn main() -> Result<()> {
         Arc::clone(&padlock_generator),
     ));
 
-    tokio::spawn(server::run(config.port)).await??;
+    tokio::spawn(server::run(
+        config.port,
+        user_authenticator,
+        padlock_generator,
+        user_server_key_generator,
+    ))
+    .await??;
 
     Ok(())
 }
diff --git a/src/server.rs b/src/server.rs
index ffbcd43..dcef0eb 100644
--- a/src/server.rs
+++ b/src/server.rs
@@ -1,7 +1,7 @@
-use std::net::Ipv6Addr;
+use std::{net::Ipv6Addr, sync::Arc};
 
 use axum::{
-    extract::Query,
+    extract::{Query, State},
     http::StatusCode,
     response::IntoResponse,
     routing::{get, post},
@@ -11,18 +11,38 @@ use secrecy::ExposeSecret;
 use serde::{Deserialize, Serialize};
 use tracing::{event, instrument, Level};
 
-use crate::auth::{AuthenticationError, UserServerKeyGenerator};
+use crate::auth::{
+    AuthenticationError, ServerPadlockGenerator, UserAuthenticator, UserServerKeyGenerator,
+};
 use crate::secrets::{Password, ServerHash, UserToken};
 
+#[derive(Debug)]
+struct AppState {
+    user_authenticator: Arc<UserAuthenticator>,
+    server_padlock_generator: Arc<ServerPadlockGenerator>,
+    user_server_key_generator: Arc<UserServerKeyGenerator>,
+}
+
 #[instrument]
-pub async fn run(port: u16) -> color_eyre::Result<()> {
+pub async fn run(
+    port: u16,
+    user_authenticator: Arc<UserAuthenticator>,
+    server_padlock_generator: Arc<ServerPadlockGenerator>,
+    user_server_key_generator: Arc<UserServerKeyGenerator>,
+) -> color_eyre::Result<()> {
+    let app_state = Arc::new(AppState {
+        user_authenticator,
+        server_padlock_generator,
+        user_server_key_generator,
+    });
     let app = Router::new()
         .route("/tls-check/success", get(|| async { "OK" }))
         .route("/api-login", post(api_login))
         .route(
             "/generate-user-server-key-2",
             post(generate_user_server_key_2),
-        );
+        )
+        .with_state(app_state);
     let listener = tokio::net::TcpListener::bind((Ipv6Addr::UNSPECIFIED, port)).await?;
     axum::serve(listener, app).await?;
 
@@ -74,11 +94,16 @@ struct LoginResponse {
 
 #[instrument]
 async fn api_login(
+    State(state): State<Arc<AppState>>,
     Query(ApiVersion { api_version }): Query<ApiVersion>,
     Form(LoginRequest { username, password }): Form<LoginRequest>,
 ) -> ApiResult<Json<LoginResponse>> {
-    event!(Level::WARN, "Creating dummy token");
-    let user_token = UserToken("invalid".to_owned().into());
+    event!(Level::INFO, "Generating user key");
+
+    let user_token = state
+        .user_authenticator
+        .create_user_token(&username, &password)
+        .await?;
 
     Ok(Json(LoginResponse {
         username,
@@ -101,6 +126,7 @@ struct UserServerKeyResponse {
 
 #[instrument]
 async fn generate_user_server_key_2(
+    State(state): State<Arc<AppState>>,
     Query(ApiVersion { api_version }): Query<ApiVersion>,
     Form(UserServerKeyRequest {
         username,
@@ -108,10 +134,10 @@ async fn generate_user_server_key_2(
         server_hash,
     }): Form<UserServerKeyRequest>,
 ) -> ApiResult<Json<UserServerKeyResponse>> {
-    event!(Level::WARN, "Creating dummy user_server_key");
+    event!(Level::INFO, "Creating user_server_key");
 
-    let generator: UserServerKeyGenerator = todo!();
-    let (server_key, server_key_timestamp) = generator
+    let (server_key, server_key_timestamp) = state
+        .user_server_key_generator
         .generate_user_server_key(&username, &token, &server_hash)
         .await?;