diff --git a/config/packages/lexik_jwt_authentication.yaml b/config/packages/lexik_jwt_authentication.yaml
index f701b56..e45799b 100644
--- a/config/packages/lexik_jwt_authentication.yaml
+++ b/config/packages/lexik_jwt_authentication.yaml
@@ -4,3 +4,8 @@ lexik_jwt_authentication:
     pass_phrase: '%env(JWT_PASSPHRASE)%'
     # 1 month ttl
     token_ttl: 2628288
+
+    token_extractors:
+        cookie:
+            enabled: true
+            name: !php/const App\Api\Controller\PlayerController::JWT_AUTH_COOKIE_NAME
diff --git a/config/services.yaml b/config/services.yaml
index f4c69cf..5a21eaf 100644
--- a/config/services.yaml
+++ b/config/services.yaml
@@ -14,6 +14,7 @@ services:
         autowire: true      # Automatically injects dependencies in your services.
         autoconfigure: true # Automatically registers your services as commands, event subscribers, etc.
 
+    Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Cookie\JWTCookieProvider:
     # makes classes in src/ available to be used as services
     # this creates a service per class whose id is the fully-qualified class name
     App\:
diff --git a/src/Api/Controller/PlayerController.php b/src/Api/Controller/PlayerController.php
index d75cf99..aa2ac85 100644
--- a/src/Api/Controller/PlayerController.php
+++ b/src/Api/Controller/PlayerController.php
@@ -16,6 +16,7 @@
 use App\Infrastructure\Persistence\PersistenceAdapterInterface;
 use App\Serializer\KillerSerializer;
 use App\Validator\KillerValidator;
+use Lexik\Bundle\JWTAuthenticationBundle\Security\Http\Cookie\JWTCookieProvider;
 use Lexik\Bundle\JWTAuthenticationBundle\Services\JWTTokenManagerInterface;
 use Psr\Log\LoggerAwareInterface;
 use Psr\Log\LoggerAwareTrait;
@@ -37,6 +38,8 @@ class PlayerController extends AbstractController implements LoggerAwareInterfac
 {
     use LoggerAwareTrait;
 
+    public const JWT_AUTH_COOKIE_NAME = 'killer_auth';
+
     public function __construct(
         private readonly PlayerRepository $playerRepository,
         private readonly RoomRepository $roomRepository,
@@ -45,6 +48,7 @@ public function __construct(
         private readonly KillerSerializer $serializer,
         private readonly KillerValidator $validator,
         private readonly JWTTokenManagerInterface $tokenManager,
+        private readonly JWTCookieProvider $JWTCookieProvider,
         private readonly RoomStatusTransitionUseCase $roomStatusTransitionUseCase,
     ) {
     }
@@ -70,15 +74,19 @@ public function createPlayer(Request $request): JsonResponse
         $this->playerRepository->store($player);
         $this->persistenceAdapter->flush();
 
-        $player->setToken($this->tokenManager->create($player));
+        $token = $this->tokenManager->create($player);
         $this->logger->info('Token created for player {user_id}', ['user_id' => $player->getId()]);
 
-        return $this->json(
+        $response = $this->json(
             $player,
             Response::HTTP_CREATED,
             ['Location' => sprintf('/player/%s', $player->getUserIdentifier())],
             [AbstractNormalizer::GROUPS => 'create-player'],
         );
+
+        $response->headers->setCookie($this->JWTCookieProvider->createCookie($token, self::JWT_AUTH_COOKIE_NAME));
+
+        return $response;
     }
 
     #[Route('/me', name: 'me', methods: [Request::METHOD_GET])]