diff --git a/controllers/auth.controller.js b/controllers/auth.controller.js
index e876dfd..8c3b405 100644
--- a/controllers/auth.controller.js
+++ b/controllers/auth.controller.js
@@ -1,5 +1,5 @@
 const AuthService = require('../services/auth.service');
-const { registerSchema, loginSchema } = require('../helpers/authValidation');
+const { registerSchema, loginSchema } = require('../helpers/validation');
 const { setResponse } = require('../helpers/utils');
 const { createCaptcha } = require('../utils/captcha');
 
@@ -11,29 +11,32 @@ class AuthController {
       const { error, value } = registerSchema.validate(req.body, { abortEarly: false });
 
       if (error) {
-        // kumpulkan pesan error per field
         const errors = error.details.reduce((acc, cur) => {
           const field = Array.isArray(cur.path) ? cur.path.join('.') : String(cur.path);
           if (!acc[field]) acc[field] = [];
           acc[field].push(cur.message);
           return acc;
         }, {});
-
-        return res.status(400).json(
-          setResponse(errors, 'Validation failed', 400)
-        );
+        return res.status(400).json(setResponse(errors, 'Validation failed', 400));
       }
 
-      // Normalisasi phone menjadi +62
       if (value.phone && value.phone.startsWith('0')) {
         value.phone = '+62' + value.phone.slice(1);
       }
 
-      const user = await AuthService.register(value);
-      return res.status(201).json(
-        setResponse(user, 'User registered successfully', 201)
-      );
+      const { user, tokens } = await AuthService.register(value);
 
+      // Set refresh token in cookie
+      res.cookie('refreshToken', tokens.refreshToken, {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === 'production',
+        sameSite: 'strict',
+        maxAge: 7 * 24 * 60 * 60 * 1000 // 7 hari
+      });
+
+      return res.status(201).json(
+        setResponse({ user, accessToken: tokens.accessToken }, 'User registered successfully', 201)
+      );
     } catch (err) {
       return res.status(err.statusCode || 500).json(
         setResponse([], err.message || 'Register failed', err.statusCode || 500)
@@ -41,18 +44,17 @@ class AuthController {
     }
   }
 
-
+  // Captcha
   static async generateCaptcha(req, res) {
     try {
       const { svg, text } = createCaptcha();
-      return res.status(200).json({
-        data: { svg, text }
-      });
+      return res.status(200).json({ data: { svg, text } });
     } catch (err) {
       return res.status(500).json(setResponse([], 'Captcha failed', 500));
     }
   }
 
+  // Login
   static async login(req, res) {
     try {
       const { error, value } = loginSchema.validate(req.body, { abortEarly: false });
@@ -60,15 +62,23 @@ class AuthController {
 
       const { email, password, captcha, captchaText } = value;
 
-      // verify captcha
       if (!captcha || captcha.toLowerCase() !== captchaText.toLowerCase()) {
         return res.status(400).json(setResponse([], 'Invalid captcha', 400));
       }
 
       const { user, tokens } = await AuthService.login({ email, password });
 
-      return res.status(200).json(setResponse({ user, tokens }, 'Login successful', 200));
+      // Set refresh token in cookie
+      res.cookie('refreshToken', tokens.refreshToken, {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === 'production',
+        sameSite: 'strict',
+        maxAge: 7 * 24 * 60 * 60 * 1000 // 7 hari
+      });
 
+      return res.status(200).json(
+        setResponse({ user, accessToken: tokens.accessToken }, 'Login successful', 200)
+      );
     } catch (err) {
       return res.status(err.statusCode || 500).json(
         setResponse([], err.message || 'Login failed', err.statusCode || 500)
@@ -76,28 +86,37 @@ class AuthController {
     }
   }
 
-// // Verify Captcha (secure)
-//   static async verifyCaptcha(req, res) {
-//     const { userInput } = req.body;
+  // Refresh Token
+  static async refreshToken(req, res) {
+    try {
+      const refreshToken = req.cookies?.refreshToken;
+      if (!refreshToken) {
+        return res.status(401).json(setResponse(null, 'Refresh token is required', 401));
+      }
 
-//     if (!userInput || !req.session.captcha) {
-//       return res.status(400).json(
-//         setResponse([], 'Missing data', 400)
-//       );
-//     }
+      const result = await AuthService.refreshToken(refreshToken);
 
-//     if (userInput.toLowerCase() === req.session.captcha.toLowerCase()) {
-//       req.session.captcha = null; // one-time use
-//       return res.json(
-//         setResponse([], 'Captcha is valid', 200)
-//       );
-//     } else {
-//       return res.status(400).json(
-//         setResponse([], 'Invalid captcha', 400)
-//       );
-//     }
-//   }
+      return res.status(200).json(setResponse(result, 'Token refreshed successfully', 200));
+    } catch (err) {
+      return res.status(err.statusCode || 500).json(
+        setResponse(null, err.message || 'Refresh token failed', err.statusCode || 500)
+      );
+    }
+  }
 
+  // Logout
+  static async logout(req, res) {
+    try {
+      res.clearCookie('refreshToken', {
+        httpOnly: true,
+        secure: process.env.NODE_ENV === 'production',
+        sameSite: 'strict',
+      });
+      return res.status(200).json(setResponse(null, 'Logged out successfully', 200));
+    } catch (err) {
+      return res.status(500).json(setResponse(null, 'Logout failed', 500));
+    }
+  }
 }
 
 module.exports = AuthController;