diff --git a/packages/sshecret-backend/src/sshecret_backend/auth.py b/packages/sshecret-backend/src/sshecret_backend/auth.py
new file mode 100644
index 0000000..c6a94cd
--- /dev/null
+++ b/packages/sshecret-backend/src/sshecret_backend/auth.py
@@ -0,0 +1,17 @@
+"""Auth helpers."""
+
+import bcrypt
+
+def hash_token(token: str) -> str:
+    """Hash a token."""
+    pwbytes = token.encode("utf-8")
+    salt = bcrypt.gensalt()
+    hashed_bytes = bcrypt.hashpw(password=pwbytes, salt=salt)
+    return hashed_bytes.decode()
+
+
+def verify_token(token: str, stored_hash: str) -> bool:
+    """Verify token."""
+    token_bytes = token.encode("utf-8")
+    stored_bytes = stored_hash.encode("utf-8")
+    return bcrypt.checkpw(token_bytes, stored_bytes)