diff --git a/Modules/Primaya/Http/Controllers/Api/AuthController.php b/Modules/Primaya/Http/Controllers/Api/AuthController.php
new file mode 100644
index 00000000..378328bc
--- /dev/null
+++ b/Modules/Primaya/Http/Controllers/Api/AuthController.php
@@ -0,0 +1,295 @@
+<?php
+
+namespace Modules\Primaya\Http\Controllers\Api;
+
+use App\Http\Controllers\Controller;
+use App\Models\User;
+use Crypt;
+use Error;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Mail;
+use Modules\Internal\Emails\SendVerifyEmail;
+use Modules\Internal\Events\ForgetPassword;
+use Illuminate\Support\Facades\Validator;
+use Modules\Primaya\Helpers\ApiResponse;
+use Illuminate\Support\Facades\DB;
+use App\Helpers\Helper;
+use Illuminate\Support\Facades\View;
+
+class AuthController extends Controller
+{
+    public function login(Request $request)
+    {
+        $data = [
+            'email' => $request->email,
+            'password' => $request->password
+        ];
+        $validator = Validator::make($request->all(), [
+            'email' => 'required|email',
+            'password' => 'required'
+        ], [
+            'email.required' => trans('Validation.required',['attribute' => 'Email']),
+            'email.email' => trans('Validation.email'),
+            'password.required' => trans('Validation.required',['attribute' => 'Password']),
+        ]);
+
+        if ($validator->fails())
+        {
+           return ApiResponse::apiResponse('Bad Request', $data, $validator->errors(), 400);
+        }
+        else
+        {
+            $user = User::where('email', $request->email)->first();
+            if (!$user) {
+                return ApiResponse::apiResponse('Not Found', $data, trans('Message.not_found'), 404);
+            }
+
+            if (!Hash::check($request->password, $user->password)) {
+                return ApiResponse::apiResponse('Bad Request', $data, trans('Message.password'), 400);
+            }
+
+            $res_data = [
+                'user' => $user,
+                'token' => $user->createToken('app')->plainTextToken
+            ];
+
+            return ApiResponse::apiResponse("Success", $res_data, trans('Message.success'), 200);
+        }
+    }
+
+    public function logout(Request $request)
+    {
+        $request->user()->tokens()->delete();
+
+        return ApiResponse::apiResponse('Success', [], trans('Message.logout'), 200);
+    }
+
+    public function resetPassword(Request $request)
+    {
+        $user = Auth::user();
+
+        $request->validate([
+            'old_password' => 'required',
+            'new_password' => 'required',
+            'confirm_new_password' => 'required'
+        ]);
+
+        if (!Hash::check($request['old_password'], $user->password)) {
+            return response(['Message' => 'Password Salah'], 403);
+        }
+
+        if ($request["new_password"] != $request["confirm_new_password"]) {
+            return response([
+                'Message' => "Password Tidak Sama"
+            ]);
+        }
+
+        $user->update([
+            'password' => Hash::make($request->confirm_new_password),
+        ]);
+        return response()->json($user);
+    }
+
+    public function verifyEmail(Request $request)
+    {
+        $data = [
+            'email' => $request->email,
+        ];
+
+        $validator = Validator::make($request->all(), [
+            'email' => 'required|email',
+        ], [
+            'email.required' => trans('Validation.required',['attribute' => 'Email']),
+            'email.email' => trans('Validation.email'),
+        ]);
+
+        if ($validator->fails())
+        {
+           return ApiResponse::apiResponse('Bad Request', $data, $validator->errors(), 400);
+        }
+        else
+        {
+            $user = User::where('email', $request->email)->first();
+            if (!$user) {
+                return ApiResponse::apiResponse('Not Found', $data, trans('Message.not_found'), 404);
+            }
+
+            //send email
+            // Insert data notifications
+            $emailTo = $request->email;
+            $dataNotif = [
+                'user_id' => $user->id,
+                'email' => $emailTo,
+                'title' => 'Forgot Password',
+                'description' => 'Request forgot password from Hospital Portal',
+                'type' => 1,
+                'isUnRead' => true,
+                'created_by' => auth()->check() ? auth()->user()->id : null,
+                'created_at' => date('Y-m-d H:i:s'),
+                'updated_at' => date('Y-m-d H:i:s'),
+            ];
+            $sendNotif = Helper::insertNotification($dataNotif);
+            //Insert data password reset
+            $token = mt_rand(100000, 999999); // Menghasilkan angka acak antara 100000 dan 999999
+            $p_resets = DB::table('password_resets')
+            ->insert([
+                'email' => $request->email,
+                'token' => $token,
+                'created_at' => date('Y-m-d H:i:s'),
+            ]);
+            // Send Email after insert notifications
+            if($sendNotif && $p_resets)
+            {
+                //send to alarm
+                $nameTo = 'User';
+                $dataEmail = [
+                    'email' => $emailTo,
+                    'name' => $nameTo,
+                    'subject' => 'Request Forgot Password from Hospital Portal Date '. date('Y-m-d H:i:s'),
+                    'body' => View::make('email/forgot_password', ['token' => $token])->render(),
+                ];
+                Helper::sendEmail($dataEmail);
+
+                $res = DB::table('password_resets')
+                ->where('email', '=', $request->email)
+                ->where('token', '=', $token)
+                ->first();
+
+                return ApiResponse::apiResponse("Success", $res, trans('Message.success'), 200);
+            }
+            else
+            {
+                return ApiResponse::apiResponse("Internal Server Error", $data, trans('Message.server_error'), 500);
+            }
+        }
+    }
+
+    public function verifCode(Request $request)
+    {
+        $data = [
+            'email' => $request->email,
+            'token' => $request->token,
+        ];
+
+        $validator = Validator::make($request->all(), [
+            'email' => 'required|email',
+            'token' => 'required|numeric',
+        ], [
+            'email.required' => trans('Validation.required',['attribute' => 'Email']),
+            'email.email' => trans('Validation.email'),
+            'token.required' => trans('Validation.required',['attribute' => 'Token']),
+            'token.numeric' => trans('Validation.required',['attribute' => 'Code Numeric']),
+        ]);
+
+        if ($validator->fails())
+        {
+           return ApiResponse::apiResponse('Bad Request', $data, $validator->errors(), 400);
+        }
+        else
+        {
+            //Check Time
+            $check = DB::table('password_resets')
+            ->where('email', '=', $request->email)
+            ->where('token', '=', $request->token)
+            ->select('created_at')
+            ->first();
+
+            if($check)
+            {
+                $created_at = strtotime($check->created_at); // Konversi string waktu ke UNIX timestamp
+                $now = time(); // Waktu sekarang dalam UNIX timestamp
+
+                // Hitung selisih waktu dalam menit
+                $diffInMinutes = ($now - $created_at) / 60;
+
+                if ($diffInMinutes > 60) {
+                    return ApiResponse::apiResponse('Not Found', $data, trans('Message.token_expired'), 404);
+                } else {
+                    // Lanjutkan dengan proses pemulihan kata sandi
+                    return ApiResponse::apiResponse("Success", $data, trans('Message.success'), 200);
+                }
+            }
+            else
+            {
+                return ApiResponse::apiResponse('Not Found', $data, trans('Message.not_found'), 404);
+            }
+        }
+    }
+
+    public function forgetPassword(Request $request)
+    {
+        $data = [
+            'email' => $request->email,
+            'token' => $request->token,
+            'new_password' => $request->new_password
+        ];
+
+        $validator = Validator::make($request->all(), [
+            'email' => 'required|email',
+            'token' => 'required|numeric',
+            'new_password' => [
+                'required',
+                'min:8',
+                'regex:/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d).{8,}$/'
+            ]
+        ], [
+            'email.required' => trans('Validation.required',['attribute' => 'Email']),
+            'email.email' => trans('Validation.email'),
+            'token.required' => trans('Validation.required',['attribute' => 'Token']),
+            'new_password.required' => trans('Validation.required',['attribute' => 'New Password']),
+            'new_password.min' => trans('Validation.min',['attribute' => 'New Password']),
+            'new_password.regex' => trans('Validation.regex',['attribute' => 'New Password']),
+        ]);
+
+        if($request->new_password != $request->confirm_new_password)
+        {
+            return ApiResponse::apiResponse('Bad Request', $data, 'Confirm password is not the same', 400);
+        }
+        else if ($validator->fails())
+        {
+           return ApiResponse::apiResponse('Bad Request', $data, $validator->errors(), 400);
+        }
+        else
+        {
+            //Check Time
+            $check = DB::table('password_resets')
+            ->where('email', '=', $request->email)
+            ->where('token', '=', $request->token)
+            ->select('created_at')
+            ->first();
+
+            if($check)
+            {
+                $created_at = strtotime($check->created_at); // Konversi string waktu ke UNIX timestamp
+                $now = time(); // Waktu sekarang dalam UNIX timestamp
+
+                // Hitung selisih waktu dalam menit
+                $diffInMinutes = ($now - $created_at) / 60;
+
+                if ($diffInMinutes > 60) {
+                    return ApiResponse::apiResponse('Not Found', $data, trans('Message.token_expired'), 404);
+                } else {
+                    // Lanjutkan dengan proses pemulihan kata sandi
+                    $user = User::where('email', $request->email)->first();
+                    if ($user)
+                    {
+                        $newPassword = Hash::make($request->new_password);
+                        $user->password = $newPassword;
+                        $user->save();
+                        return ApiResponse::apiResponse("Success", $data, trans('Message.success'), 200);
+                    }
+                    else
+                    {
+                        return ApiResponse::apiResponse('Not Found', $data, trans('Message.token_expired'), 404);
+                    }
+                }
+            }
+            else
+            {
+                return ApiResponse::apiResponse('Not Found', $data, trans('Message.not_found'), 404);
+            }
+        }
+    }
+}
diff --git a/Modules/Primaya/Http/Middleware/Authentication.php b/Modules/Primaya/Http/Middleware/Authentication.php
new file mode 100644
index 00000000..9d86293d
--- /dev/null
+++ b/Modules/Primaya/Http/Middleware/Authentication.php
@@ -0,0 +1,65 @@
+<?php
+
+namespace Modules\Primaya\Http\Middleware;
+use Modules\Primaya\Helpers\ApiResponse;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Illuminate\Support\Facades\App;
+
+class Authentication
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure(\Illuminate\Http\Request): (\Illuminate\Http\Response|\Illuminate\Http\RedirectResponse)  $next
+     * @return \Illuminate\Http\Response|\Illuminate\Http\RedirectResponse
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        $acceptHeader = $request->header('Accept');
+        $contentType = $request->header('Content-Type');
+        $locale = $request->header('Accept-Language');
+
+        // Add language
+        if(!$locale)
+        {
+            return ApiResponse::apiResponse('Unauthorized', null, trans('validation.required', ['attribute' => 'Accept-Language']), 401);
+        }
+        if($locale !== 'en-US' && $locale !== 'id-ID')
+        {
+            return ApiResponse::apiResponse('Bad Request', null, trans('validation.invalid', ['attribute' => 'Accept-Language']), 400);
+        }
+        if ($locale === 'en-US')
+        {
+            App::setLocale('en');
+        } elseif ($locale === 'id-ID')
+        {
+            App::setLocale('id');
+        } else
+        {
+            App::setLocale('en');
+        }
+
+        // Validate type accept & content type
+        if (!$acceptHeader)
+        {
+            return ApiResponse::apiResponse('Unauthorized', null, trans('validation.required', ['attribute' => 'Accept']), 401);
+        }
+        if (!$contentType)
+        {
+            return ApiResponse::apiResponse('Unauthorized', null, trans('validation.required', ['attribute' => 'Content-Type']), 401);
+        }
+        if ($acceptHeader !== 'application/json')
+        {
+            return ApiResponse::apiResponse('Bad Request', null, trans('validation.invalid', ['attribute' => 'Accept']), 400);
+        }
+        if($contentType !== 'application/json')
+        {
+            return ApiResponse::apiResponse('Bad Request', null, trans('validation.invalid', ['attribute' => 'Content-Type']), 400);
+        }
+        return $next($request);
+    }
+}
diff --git a/Modules/Primaya/Http/Middleware/Authorization.php b/Modules/Primaya/Http/Middleware/Authorization.php
new file mode 100644
index 00000000..0673424f
--- /dev/null
+++ b/Modules/Primaya/Http/Middleware/Authorization.php
@@ -0,0 +1,71 @@
+<?php
+
+namespace Modules\Primaya\Http\Middleware;
+use Modules\Primaya\Helpers\ApiResponse;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Illuminate\Support\Facades\App;
+
+class Authorization
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure(\Illuminate\Http\Request): (\Illuminate\Http\Response|\Illuminate\Http\RedirectResponse)  $next
+     * @return \Illuminate\Http\Response|\Illuminate\Http\RedirectResponse
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        $acceptHeader = $request->header('Accept');
+        $contentType = $request->header('Content-Type');
+        $locale = $request->header('Accept-Language');
+        $authorization = $request->header('Authorization');
+
+        // Add language
+        if(!$locale)
+        {
+            return ApiResponse::apiResponse('Unauthorized', null, trans('Validation.required', ['attribute' => 'Accept-Language']), 401);
+        }
+        if($locale !== 'en-US' && $locale !== 'id-ID')
+        {
+            return ApiResponse::apiResponse('Bad Request', null, trans('Validation.invalid', ['attribute' => 'Accept-Language']), 400);
+        }
+        if ($locale === 'en-US')
+        {
+            App::setLocale('en');
+        } elseif ($locale === 'id-ID')
+        {
+            App::setLocale('id');
+        } else
+        {
+            App::setLocale('en');
+        }
+
+        // Validate authorization
+        if (empty($authorization) || strpos($authorization, 'Bearer ') !== 0) {
+            return ApiResponse::apiResponse('Unauthorized', null, trans('Validation.required', ['attribute' => 'Authorization']), 401);
+        }
+
+        // Validate type accept & content type
+        if (!$acceptHeader)
+        {
+            return ApiResponse::apiResponse('Unauthorized', null, trans('Validation.required', ['attribute' => 'Accept']), 401);
+        }
+        if (!$contentType && $request->isMethod('post'))
+        {
+            return ApiResponse::apiResponse('Unauthorized', null, trans('Validation.required', ['attribute' => 'Content-Type']), 401);
+        }
+        if ($acceptHeader !== 'application/json')
+        {
+            return ApiResponse::apiResponse('Bad Request', null, trans('Validation.invalid', ['attribute' => 'Accept']), 400);
+        }
+        if($contentType !== 'application/json' && $request->isMethod('post'))
+        {
+            return ApiResponse::apiResponse('Bad Request', null, trans('Validation.invalid', ['attribute' => 'Content-Type']), 400);
+        }
+        return $next($request);
+    }
+}