diff --git a/app/Http/Controllers/ApiController.php b/app/Http/Controllers/ApiController.php
new file mode 100644
index 0000000..80ac9a6
--- /dev/null
+++ b/app/Http/Controllers/ApiController.php
@@ -0,0 +1,57 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use App\Http\Requests;
+use App\Http\Controllers\Controller;
+
+use Illuminate\Http\Request;
+use App\Models\ApiModel;
+use Carbon\Carbon;
+use Illuminate\Support\Facades\Input;
+
+class ApiController extends Controller
+{
+
+	public function login(Request $request)
+	{
+		$ApiModel 		= new ApiModel;
+		$post 			=	$request->all();
+		$response 	 = $ApiModel->loginProductionUser($post['username'], $post['password']);
+		if (!$response) {
+			return response()->json(['status' => false, 'message' => "Invalid user"], 401);
+		}
+
+		return response()->json(['status' => true, 'data' => $response[0]], 200);
+	}
+
+	public function insert(Request $request)
+	{
+		$ApiModel 		= new ApiModel;
+		$post 			=	$request->json()->all();
+		
+		$data = array(
+			"StepId" => $post['StepId'],
+			"ScannedBy" => $post['ScannedBy'],
+			"InvoiceNumber" => $post['invoice'],
+			"Timezone" => $post['timezone'],
+			"TimezoneOffset" => date('H:i:s',strtotime($post['timezoneOffset'])),
+			"DeviceId" =>$post['deviceId'],
+			"created_at" => date('Y-m-d H:i:s', strtotime($post['datetime']))
+		);
+		$response 	 = $ApiModel->insertTracking($data);
+		if (!$response) {
+			return response()->json(['status' => false, 'message' => "Something went wrong."], 401);
+		}
+
+		return response()->json(['status' => true, 'message' => 'Successfully updated.'], 201);
+	}
+
+	public function getTrackingStatus()
+	{
+		$ApiModel 		= new ApiModel;
+		$invoice = Input::get('invoice');
+		$response 	 = $ApiModel->getTrackingStatus($invoice);
+		return response()->json(['status' => true, 'data' => $response], 200);
+	}
+}
diff --git a/app/Http/Controllers/MainController.php b/app/Http/Controllers/MainController.php
index a3fcd8e..e27650a 100644
--- a/app/Http/Controllers/MainController.php
+++ b/app/Http/Controllers/MainController.php
@@ -7,7 +7,7 @@ use Illuminate\Http\Request;
 use App\Models\MainModel;
 // use Illuminate\Support\Facades\Request;
 use Analytics;
-use Session;
+use Illuminate\Support\Facades\Session;
 
 class MainController extends Controller {
 
diff --git a/app/Http/Controllers/paypal/PaypalController.php b/app/Http/Controllers/paypal/PaypalController.php
index 89a6d30..b50c6e8 100644
--- a/app/Http/Controllers/paypal/PaypalController.php
+++ b/app/Http/Controllers/paypal/PaypalController.php
@@ -8,6 +8,7 @@ use Illuminate\Http\Request;
 use Netshell\Paypal\Facades\Paypal;
 use App\Models\teamstore\TeamStoreModel;
 use App\Models\user\UserModel;
+use App\Models\ApiModel;
 use App\Models\paypal\PayPalModel;
 // use Auth;
 use Illuminate\Support\Facades\Auth;
@@ -19,7 +20,6 @@ use Illuminate\Support\Facades\Redirect;
 use Illuminate\Support\Facades\Mail;
 
 
-
 class PaypalController extends Controller
 {
 
@@ -74,8 +74,6 @@ class PaypalController extends Controller
 		$payer = PayPal::Payer();
 		$payer->setPaymentMethod('paypal');
 
-
-
 		$m		 		= new TeamStoreModel;
 		$paypal_model	= new PayPalModel;
 		$last_id 		= $paypal_model->getLastIdPaymentDetails();
@@ -382,6 +380,17 @@ class PaypalController extends Controller
 		});
 		// end email sending
 
+
+		$insertTracking = array(
+			"StepId" => 1,
+			"ScannedBy" => 1,
+			"InvoiceNumber" => $invoice_number,
+			"created_at" => date('Y-m-d H:i:s')
+		);
+
+		$ApiModel 		= new ApiModel;
+		$ApiModel->insertTracking($insertTracking);
+
 		$request->session()->forget('cartkey'); // clear session for cartkey
 
 		// redirect to thank you page.
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index 5264cc1..0a75941 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -30,6 +30,8 @@ class Kernel extends HttpKernel {
 		'teamstoresession' => 'App\Http\Middleware\CheckTeamStorePassword',
 		'admin' => '\App\Http\Middleware\IsAdmin',
 		'normaluser' => '\App\Http\Middleware\IsUser',
+		'isAuthorized' => '\App\Http\Middleware\isAuthorized',
+		'cors' => 'App\Http\Middleware\Cors',
 	];
 
 }
diff --git a/app/Http/Middleware/Cors.php b/app/Http/Middleware/Cors.php
new file mode 100644
index 0000000..da2a8ba
--- /dev/null
+++ b/app/Http/Middleware/Cors.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+
+class Cors
+{
+
+	/**
+	 * Handle an incoming request.
+	 *
+	 * @param  \Illuminate\Http\Request  $request
+	 * @param  \Closure  $next
+	 * @return mixed
+	 */
+	public function handle($request, Closure $next)
+	{
+		header("Access-Control-Allow-Origin: *");
+		header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
+		header("Access-Control-Allow-Headers: *");
+		// header('Access-Control-Allow-Credentials: true');
+
+		if (!$request->isMethod('options')) {
+			return $next($request);
+		}
+	}
+}
diff --git a/app/Http/Middleware/VerifyCsrfToken.php b/app/Http/Middleware/VerifyCsrfToken.php
index 6e81e95..3add0cf 100644
--- a/app/Http/Middleware/VerifyCsrfToken.php
+++ b/app/Http/Middleware/VerifyCsrfToken.php
@@ -13,9 +13,23 @@ class VerifyCsrfToken extends BaseVerifier {
 	 * @return mixed
 	 */
 
+	protected $except = [
+		"api/*",
+	];
+
+	// public function handle($request, Closure $next)
+	// {
+	// 	return parent::handle($request, $next);
+	// }
+
 	public function handle($request, Closure $next)
 	{
-		return parent::handle($request, $next);
+			foreach($this->except as $route) {
+					if ($request->is($route)) {
+							return $next($request);
+					}
+			}
+			return parent::handle($request, $next);
 	}
 
 }
diff --git a/app/Http/Middleware/isAuthorized.php b/app/Http/Middleware/isAuthorized.php
new file mode 100644
index 0000000..be156f7
--- /dev/null
+++ b/app/Http/Middleware/isAuthorized.php
@@ -0,0 +1,23 @@
+<?php namespace App\Http\Middleware;
+
+use Closure;
+
+class isAuthorized {
+
+	/**
+	 * Handle an incoming request.
+	 *
+	 * @param  \Illuminate\Http\Request  $request
+	 * @param  \Closure  $next
+	 * @return mixed
+	 */
+	public function handle($request, Closure $next)
+	{
+		if(isset(getallheaders()['token']) && getallheaders()['token']=="1HHIaIsT4pvO2S39vMzlVfGWi3AhAz6F5xGBNKil") {
+			return $next($request);
+		}else{
+				return response()->json(['status' => false,'error' => "Invalid request"], 503);
+		}
+	}
+
+}
diff --git a/app/Http/routes.php b/app/Http/routes.php
index 66be14e..a08972a 100644
--- a/app/Http/routes.php
+++ b/app/Http/routes.php
@@ -184,4 +184,10 @@ Route::get('cliparts/index', 'cliparts\ClipartsController@index');
 
 // Route::get('analytics', function (){
 // 	$analyticsData = LaravelAnalytics::getVisitorsAndPageViews(7);
-// });
\ No newline at end of file
+// });
+
+Route::group(array('middleware' => ['isAuthorized', 'cors'], 'prefix' => 'api'), function (){
+	Route::post('login', 'ApiController@login');
+	Route::post('insert', 'ApiController@insert');
+	Route::get('tracking', 'ApiController@getTrackingStatus');
+});
\ No newline at end of file
diff --git a/app/Models/ApiModel.php b/app/Models/ApiModel.php
new file mode 100644
index 0000000..1d0c1ee
--- /dev/null
+++ b/app/Models/ApiModel.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace App\models;
+
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Support\Facades\DB;
+
+class ApiModel extends Model
+{
+
+	function loginProductionUser($username, $password){
+		$i = DB::table('production_user')
+					->where('Username', $username)
+					->where('Password', $password)
+					->get();
+			return $i;
+	}
+
+	function getTrackingStatus($invoice)
+	{
+		$i = DB::table('tracking')->select('tracking.Id', 'tracking.InvoiceNumber', 'tracking_steps.StepLabel', 'production_user.Name', DB::raw('DATE_FORMAT(tracking.created_at, "%b %d, %Y") AS date'), DB::raw('DATE_FORMAT(tracking.created_at, "%H:%i") AS time'))
+			->leftjoin('tracking_steps', 'tracking_steps.Id', '=', 'tracking.StepId')
+			->leftjoin('production_user', 'production_user.Id', '=', 'tracking.ScannedBy')
+			->where('tracking.InvoiceNumber', '=', $invoice)
+			->orderBy('tracking.created_at', 'DESC')
+			->get();
+		return $i;
+	}
+
+	function insertTracking($data){
+		$i = DB::table('tracking')->insert($data);
+		return $i;
+	}
+}
diff --git a/app/Models/MainModel.php b/app/Models/MainModel.php
index bc7e2e3..5381df5 100644
--- a/app/Models/MainModel.php
+++ b/app/Models/MainModel.php
@@ -1,6 +1,6 @@
 <?php namespace App\Models;
 use Illuminate\Database\Eloquent\Model;
-use DB;
+use Illuminate\Support\Facades\DB;
 
 class MainModel extends Model {
 
diff --git a/config/services.php b/config/services.php
index f0650e9..f4ddf3b 100644
--- a/config/services.php
+++ b/config/services.php
@@ -36,7 +36,7 @@ return [
 
 	// sandbox
 	// 'paypal' => [
-  //       'client_id' => 'AQuz-HKzQiL7FygkG8skSekaWf-RP6Rgj4f1XeX1Ghp86bUFj7tQXVT1xbpluu5_WCGRbQpOVGtlJKVB',
+    //     'client_id' => 'AQuz-HKzQiL7FygkG8skSekaWf-RP6Rgj4f1XeX1Ghp86bUFj7tQXVT1xbpluu5_WCGRbQpOVGtlJKVB',
 	// 	'secret' => 'EJAMKxQsl-mFkL_4J_90cvTamYfcsgswqgIxz9wQPiRAwJ6sy_wNsttMlmrXIpxI96JpYzdMXkLCHAPz'
 	// ], 
 	
diff --git a/database/migrations/2020_11_17_214014_create_api_models_table.php b/database/migrations/2020_11_17_214014_create_api_models_table.php
new file mode 100644
index 0000000..4ca30dc
--- /dev/null
+++ b/database/migrations/2020_11_17_214014_create_api_models_table.php
@@ -0,0 +1,32 @@
+<?php
+
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Migrations\Migration;
+
+class CreateApiModelsTable extends Migration {
+
+	/**
+	 * Run the migrations.
+	 *
+	 * @return void
+	 */
+	public function up()
+	{
+		Schema::create('api_models', function(Blueprint $table)
+		{
+			$table->increments('id');
+			$table->timestamps();
+		});
+	}
+
+	/**
+	 * Reverse the migrations.
+	 *
+	 * @return void
+	 */
+	public function down()
+	{
+		Schema::drop('api_models');
+	}
+
+}