diff --git a/src/webqueue2api/api/app.py b/src/webqueue2api/api/app.py
new file mode 100644
index 0000000..d9984c0
--- /dev/null
+++ b/src/webqueue2api/api/app.py
@@ -0,0 +1,30 @@
+from flask import Flask
+from flask_restful import Api
+from flask_jwt_extended import JWTManager
+from .config import config
+
+app = Flask(__name__)
+api = Api(app)
+
+# Set JWT secret key and create JWT manager
+app.config["JWT_SECRET_KEY"] = config.jwt_secret_key
+# The JWT RFC uses the "sub" key for identity claims. However, 
+# Flask-JWT-Extended uses "identity" by default for compatibility reasons so
+# we ovverride the default claim key to comply with the RFC
+app.config["JWT_IDENTITY_CLAIM"] = "sub"
+# Set the key for error messages generated by Flask-JWT-Extended
+app.config["JWT_ERROR_MESSAGE_KEY"] = "message"
+
+# Look for JWTs in headers (for access) then cookies (for refresh)
+app.config["JWT_TOKEN_LOCATION"] = ["headers", "cookies"]
+# Restrict cookies to HTTPS in prod, allow HTTP in dev
+app.config["JWT_COOKIE_SECURE"] = False if config.jwt_secret_key == "dev" else True
+# Restrict cookies using SameSite=strict flag
+app.config["JWT_COOKIE_SAMESITE"] = "strict"
+# Restrict refresh tokens to /token/refresh endpoint
+app.config["JWT_REFRESH_COOKIE_PATH"] = '/tokens/refresh'
+# Set the cookie key for CRSF validation string
+# This is the default value. Adding it for easy reference
+app.config["JWT_REFRESH_CSRF_HEADER_NAME"] = "X-CSRF-TOKEN"
+
+tokenManager = JWTManager(app)
\ No newline at end of file