diff --git a/backend/api.go b/backend/api.go
index d9d73c3..1b41266 100644
--- a/backend/api.go
+++ b/backend/api.go
@@ -8,10 +8,12 @@ import (
 	"io"
 	"log"
 	"net/http"
+	"sync"
 )
 
 type ApiHandler struct {
 	db        *Database
+	mutex     sync.RWMutex
 	authToken *string
 }
 
@@ -60,7 +62,10 @@ func (h *ApiHandler) ServeLoginPost(writer http.ResponseWriter, request *http.Re
 	rawAuthToken := make([]byte, 128)
 	_, _ = rand.Read(rawAuthToken)
 	authToken := hex.EncodeToString(rawAuthToken)
+
+	h.mutex.Lock()
 	h.authToken = &authToken
+	h.mutex.Unlock()
 
 	cookie := http.Cookie{}
 	cookie.Name = authTokenCookieName
@@ -85,7 +90,9 @@ func (h *ApiHandler) ServeLogoutPost(writer http.ResponseWriter, request *http.R
 		http.SetCookie(writer, &cookie)
 	}
 
+	h.mutex.Lock()
 	h.authToken = nil
+	h.mutex.Unlock()
 
 	WriteResponse(writer, http.StatusOK, map[string]interface{}{})
 
@@ -97,7 +104,9 @@ func (h *ApiHandler) ProcessAuth(next http.Handler, required bool) http.Handler
 		isAuthorized := false
 		cookie, _ := request.Cookie(authTokenCookieName)
 		if cookie != nil {
+			h.mutex.RLock()
 			isAuthorized = h.authToken != nil && *h.authToken == cookie.Value
+			h.mutex.RUnlock()
 		}
 
 		if !isAuthorized && required {