diff --git a/api/handlers/user_handler.go b/api/handlers/user_handler.go
index c9bfff6..0003e67 100644
--- a/api/handlers/user_handler.go
+++ b/api/handlers/user_handler.go
@@ -9,6 +9,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 	"github.com/jackc/pgx/v5/pgtype"
+	"golang.org/x/crypto/bcrypt"
 )
 
 type UserHandler struct {
@@ -65,11 +66,17 @@ func (h *UserHandler) CreateUser(c *gin.Context) {
 		return
 	}
 
+	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(req.Password), bcrypt.DefaultCost)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to hash password"})
+		return
+	}
+
 	id, err := h.repo.CreateUser(c.Request.Context(), db.CreateUserParams{
 		ID:       pgID,
 		UserName: req.UserName,
 		UserMail: req.UserMail,
-		Password: req.Password, // TODO: hash this before storing
+		Password: string(hashedPassword),
 	})
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()})