diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index d83690e..99ce66c 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -1,5 +1,20 @@
 class ApplicationController < ActionController::Base
   # Prevent CSRF attacks by raising an exception.
   # For APIs, you may want to use :null_session instead.
-  protect_from_forgery with: :exception
+  protect_from_forgery with: :null_session
+
+  def authenticate_device
+    authenticate_with_token || render_unauthorized
+  end
+
+  def authenticate_device
+    authenticate_or_request_with_http_token do |token, options|
+      @device = Device.find_by(access_token: token)
+      @device != nil
+    end
+  end
+
+  def render_unauthorized
+    render json: "Bad token", status: :unauthorised
+  end
 end
diff --git a/app/controllers/devices_controller.rb b/app/controllers/devices_controller.rb
index 3d741ad..fac24fd 100644
--- a/app/controllers/devices_controller.rb
+++ b/app/controllers/devices_controller.rb
@@ -11,7 +11,8 @@ class DevicesController < ApplicationController
                    }, 
             status: :created
     else
-      render json: { error: device.errors.full_messages }, status: :unprocessable_entity
+      render json: { error: device.errors.full_messages }, 
+              status: :unprocessable_entity
     end
   end
 
diff --git a/app/controllers/heartbeats_controller.rb b/app/controllers/heartbeats_controller.rb
new file mode 100644
index 0000000..1b62a8c
--- /dev/null
+++ b/app/controllers/heartbeats_controller.rb
@@ -0,0 +1,10 @@
+class HeartbeatsController < ApplicationController
+  before_action :authenticate_device
+  respond_to :json
+  
+  def create
+    heartbeat = Heartbeat.create(device: @device)
+    render json: { next_heartbeat_time: heartbeat.next_heartbeat_time }, 
+      status: :created
+  end
+end
diff --git a/config/routes.rb b/config/routes.rb
index 7e2c1f6..75ed72d 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -1,5 +1,8 @@
 Rails.application.routes.draw do
   devise_for :admin_users, ActiveAdmin::Devise.config
+
+  post 'heartbeats', to: 'heartbeats#create', :defaults => { :format => :json }
+  
   ActiveAdmin.routes(self)
   # The priority is based upon order of creation: first created -> highest priority.
   # See how all your routes lay out with "rake routes".
diff --git a/spec/controllers/heartbeats_controller_spec.rb b/spec/controllers/heartbeats_controller_spec.rb
new file mode 100644
index 0000000..8ba5709
--- /dev/null
+++ b/spec/controllers/heartbeats_controller_spec.rb
@@ -0,0 +1,20 @@
+require 'rails_helper'
+
+RSpec.describe HeartbeatsController, type: :controller do
+  let(:heartbeat) {FactoryGirl.create(:heartbeat)}
+  
+  before(:each) do
+    request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Token.encode_credentials(heartbeat.device.access_token)
+  end
+  
+  describe "POST #create" do
+    it "Respond with next heartbeat time" do
+      post :create, format: :json
+      expect(response).to have_http_status(:created)
+      expect(JSON.parse(response.body)["next_heartbeat_time"]).to 
+        match(heartbeat.next_heartbeat_time) 
+    end
+  end
+
+
+end