diff --git a/app/__test__/auth/Authenticator.spec.ts b/app/__test__/auth/Authenticator.spec.ts
index 0794528..fcf8e5c 100644
--- a/app/__test__/auth/Authenticator.spec.ts
+++ b/app/__test__/auth/Authenticator.spec.ts
@@ -1,3 +1,41 @@
+import { Authenticator } from "auth/authenticate/Authenticator";
 import { describe, expect, test } from "bun:test";
 
-describe("Authenticator", async () => {});
+describe("Authenticator", async () => {
+   test("should return auth cookie headers", async () => {
+      const auth = new Authenticator({}, null as any, {
+         jwt: {
+            secret: "secret",
+            fields: [],
+         },
+         cookie: {
+            sameSite: "strict",
+         },
+      });
+      const headers = await auth.getAuthCookieHeader("token");
+      const cookie = headers.get("Set-Cookie");
+      expect(cookie).toStartWith("auth=");
+      expect(cookie).toEndWith("HttpOnly; Secure; SameSite=Strict");
+
+      // now expect it to be removed
+      const headers2 = await auth.removeAuthCookieHeader(headers);
+      const cookie2 = headers2.get("Set-Cookie");
+      expect(cookie2).toStartWith("auth=; Max-Age=0; Path=/; Expires=");
+      expect(cookie2).toEndWith("HttpOnly; Secure; SameSite=Strict");
+   });
+
+   test("should return auth cookie string", async () => {
+      const auth = new Authenticator({}, null as any, {
+         jwt: {
+            secret: "secret",
+            fields: [],
+         },
+         cookie: {
+            sameSite: "strict",
+         },
+      });
+      const cookie = await auth.unsafeGetAuthCookie("token");
+      expect(cookie).toStartWith("auth=");
+      expect(cookie).toEndWith("HttpOnly; Secure; SameSite=Strict");
+   });
+});
diff --git a/app/src/auth/authenticate/Authenticator.ts b/app/src/auth/authenticate/Authenticator.ts
index 52a2e42..711099b 100644
--- a/app/src/auth/authenticate/Authenticator.ts
+++ b/app/src/auth/authenticate/Authenticator.ts
@@ -327,6 +327,31 @@ export class Authenticator<
       await setSignedCookie(c, "auth", token, secret, this.cookieOptions);
    }
 
+   async getAuthCookieHeader(token: string, headers = new Headers()) {
+      const c = {
+         header: (key: string, value: string) => {
+            headers.set(key, value);
+         },
+      };
+      await this.setAuthCookie(c as any, token);
+      return headers;
+   }
+
+   async removeAuthCookieHeader(headers = new Headers()) {
+      const c = {
+         header: (key: string, value: string) => {
+            headers.set(key, value);
+         },
+         req: {
+            raw: {
+               headers,
+            },
+         },
+      };
+      this.deleteAuthCookie(c as any);
+      return headers;
+   }
+
    async unsafeGetAuthCookie(token: string): Promise<string | undefined> {
       // this works for as long as cookieOptions.prefix is not set
       return serializeSigned("auth", token, this.config.jwt.secret, this.cookieOptions);