diff --git a/app/controllers/tokens_controller.rb b/app/controllers/tokens_controller.rb
new file mode 100644
index 0000000..c3dabba
--- /dev/null
+++ b/app/controllers/tokens_controller.rb
@@ -0,0 +1,10 @@
+# Copyright (C) 2024 Manuel Bustillo
+
+class TokensController < ApplicationController
+  skip_before_action :authenticate_user!
+  skip_before_action :set_tenant
+
+  def show
+    head :ok
+  end
+end
diff --git a/config/routes.rb b/config/routes.rb
index bd26594..1075005 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -2,6 +2,16 @@
 
 Rails.application.routes.draw do
   mount LetterOpenerWeb::Engine, at: "/letter_opener" if Rails.env.development?
+  get 'token' => 'tokens#show', as: :token
+  get 'up' => 'rails/health#show', as: :rails_health_check
+
+  resources :captcha, only: :create do
+    get 'v2/media', to: 'captcha#media', on: :collection, as: :media
+  end
+
+  mount Rswag::Ui::Engine => '/api-docs'
+  mount Rswag::Api::Engine => '/api-docs'
+
   scope ":slug", constraints: { slug: Wedding::SLUG_REGEX } do
     devise_for :users, skip: [:registration, :session, :confirmation]
     devise_scope :user do
@@ -24,13 +34,4 @@ Rails.application.routes.draw do
 
     root to: redirect("/%{slug}")
   end
-
-  resources :captcha, only: :create do
-    get 'v2/media', to: 'captcha#media', on: :collection, as: :media
-  end
-
-  mount Rswag::Ui::Engine => '/api-docs'
-  mount Rswag::Api::Engine => '/api-docs'
-
-  get 'up' => 'rails/health#show', as: :rails_health_check
 end
diff --git a/spec/requests/tokens_spec.rb b/spec/requests/tokens_spec.rb
new file mode 100644
index 0000000..5a08e05
--- /dev/null
+++ b/spec/requests/tokens_spec.rb
@@ -0,0 +1,15 @@
+# Copyright (C) 2024 Manuel Bustillo
+
+require 'swagger_helper'
+
+RSpec.describe 'tokens', type: :request do
+  path '/token' do
+    get('get a cookie with CSRF token') do
+      tags 'CSRF token'
+      consumes 'application/json'
+      produces 'application/json'
+      
+      response_empty_200
+    end
+  end
+end