diff --git a/app/controllers/rs/oauth_controller.rb b/app/controllers/rs/oauth_controller.rb
index c403bcf..2aa25e0 100644
--- a/app/controllers/rs/oauth_controller.rb
+++ b/app/controllers/rs/oauth_controller.rb
@@ -77,14 +77,13 @@ class Rs::OauthController < ApplicationController
 
     client_id.gsub!(/http(s)?:\/\//, "")
 
-    rs = RemoteStorage.new
-    auth = rs.create_authorization(current_user, {
+    auth = current_user.remote_storage_authorizations.create!(
       permissions: permissions,
       client_id: client_id,
       redirect_uri: redirect_uri,
       app_name: client_id, #TODO use user-defined name
       expire_at: expire_at
-    })
+    )
 
     redirect_to url_with_state("#{redirect_uri}#access_token=#{auth.token}", state), allow_other_host: true
   end
diff --git a/app/models/remote_storage_authorization.rb b/app/models/remote_storage_authorization.rb
new file mode 100644
index 0000000..e42deca
--- /dev/null
+++ b/app/models/remote_storage_authorization.rb
@@ -0,0 +1,32 @@
+class RemoteStorageAuthorization < ApplicationRecord
+  belongs_to :user
+
+  serialize :permissions
+
+  validates_presence_of :permissions
+  validates_presence_of :client_id
+
+  scope :valid, -> { where(expire_at: nil).or(where(expire_at: (DateTime.now)..)) }
+  scope :expired, -> { where(expire_at: ..(DateTime.now)) }
+
+  after_initialize do |a|
+    a.permisisons = [] if a.permissions == nil
+  end
+
+  before_create  :generate_token
+
+  def url
+    if self.redirect_uri
+      uri = URI.parse self.redirect_uri
+      "#{uri.scheme}://#{client_id}"
+    else
+      "http://#{client_id}"
+    end
+  end
+
+  private
+
+  def generate_token(length=16)
+    self.token = SecureRandom.hex(length) if self.token.blank?
+  end
+end
diff --git a/app/models/user.rb b/app/models/user.rb
index ebe76cb..ecc50f5 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -14,6 +14,8 @@ class User < ApplicationRecord
 
   has_many :accounts, through: :lndhub_user
 
+  has_many :remote_storage_authorizations
+
   validates_uniqueness_of :cn
   validates_length_of :cn, :minimum => 3
   validates_format_of :cn, with: /\A([a-z0-9\-])*\z/,
diff --git a/app/services/remote_storage.rb b/app/services/remote_storage.rb
deleted file mode 100644
index a6a80af..0000000
--- a/app/services/remote_storage.rb
+++ /dev/null
@@ -1,18 +0,0 @@
-require 'ostruct'
-
-class RemoteStorage
-
-  def initialize
-  end
-
-  def create_authorization(user, auth_data)
-
-    return OpenStruct.new(token: "SOME-FANCY-TOKEN")
-    #   permissions: permissions,
-    #   client_id: client_id,
-    #   redirect_uri: redirect_uri,
-    #   app_name: client_id, #TODO use user-defined name
-    #   expire_at: expire_at
-  end
-
-end
diff --git a/db/migrate/20230312212030_create_remote_storage_authorizations.rb b/db/migrate/20230312212030_create_remote_storage_authorizations.rb
new file mode 100644
index 0000000..ebb8733
--- /dev/null
+++ b/db/migrate/20230312212030_create_remote_storage_authorizations.rb
@@ -0,0 +1,17 @@
+class CreateRemoteStorageAuthorizations < ActiveRecord::Migration[7.0]
+  def change
+    create_table :remote_storage_authorizations do |t|
+      t.references :user, null: false, foreign_key: true
+      t.string :token
+      t.text :permissions, array: true, default: [].to_yaml
+      t.string :client_id
+      t.string :redirect_uri
+      t.string :app_name
+      t.datetime :expire_at
+
+      t.timestamps
+    end
+
+    add_index :remote_storage_authorizations, :permissions, using: 'gin'
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index f87e1b0..18a0b86 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.0].define(version: 2023_02_23_115536) do
+ActiveRecord::Schema[7.0].define(version: 2023_03_12_212030) do
   create_table "donations", force: :cascade do |t|
     t.integer "user_id"
     t.integer "amount_sats"
@@ -34,6 +34,20 @@ ActiveRecord::Schema[7.0].define(version: 2023_02_23_115536) do
     t.index ["user_id"], name: "index_invitations_on_user_id"
   end
 
+  create_table "remote_storage_authorizations", force: :cascade do |t|
+    t.integer "user_id", null: false
+    t.string "token"
+    t.text "permissions", default: "--- []\n"
+    t.string "client_id"
+    t.string "redirect_uri"
+    t.string "app_name"
+    t.datetime "expire_at"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.index ["permissions"], name: "index_remote_storage_authorizations_on_permissions"
+    t.index ["user_id"], name: "index_remote_storage_authorizations_on_user_id"
+  end
+
   create_table "settings", force: :cascade do |t|
     t.string "var", null: false
     t.text "value"
@@ -61,4 +75,5 @@ ActiveRecord::Schema[7.0].define(version: 2023_02_23_115536) do
     t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
   end
 
+  add_foreign_key "remote_storage_authorizations", "users"
 end