diff --git a/lib/db/api.js b/lib/db/api.js
new file mode 100644
index 00000000..72608eba
--- /dev/null
+++ b/lib/db/api.js
@@ -0,0 +1,14 @@
+var r = require('rethinkdb')
+
+var db = require('./')
+
+module.exports.saveUserAfterLogin = function(user) {
+  return db.run(r.table('users').insert({
+      email: user.email
+    , name: user.name
+    , lastLogin: r.now()
+    }
+  , {
+      upsert: true
+    }))
+}
diff --git a/lib/db/index.js b/lib/db/index.js
index 58e0327a..06f8cecf 100644
--- a/lib/db/index.js
+++ b/lib/db/index.js
@@ -15,8 +15,23 @@ function connect() {
         log.fatal('Connection error', err.stack)
         process.exit(1)
       })
-      return conn
+      return setup(conn)
     })
 }
 
-module.exports = connect().then(setup)
+var db = module.exports = Object.create(null)
+
+// Export memoized connection as a Promise
+db.connect = (function() {
+  var connection = connect()
+  return function() {
+    return connection
+  }
+})()
+
+// Small utility for running queries without having to acquire a connection
+db.run = function(q) {
+  return db.connect().then(function(conn) {
+    return rutil.run(conn, q)
+  })
+}
diff --git a/lib/db/tables.js b/lib/db/tables.js
index 98bd7ae6..48b48490 100644
--- a/lib/db/tables.js
+++ b/lib/db/tables.js
@@ -1,5 +1,5 @@
 module.exports = {
   users: {
-    primaryKey: 'id'
+    primaryKey: 'email'
   }
 }
diff --git a/lib/middleware/jwt.js b/lib/middleware/auth.js
similarity index 77%
rename from lib/middleware/jwt.js
rename to lib/middleware/auth.js
index 353fc137..f7c02047 100644
--- a/lib/middleware/jwt.js
+++ b/lib/middleware/auth.js
@@ -1,6 +1,8 @@
 var jwtutil = require('../util/jwtutil')
 var urlutil = require('../util/urlutil')
 
+var dbapi = require('../db/api')
+
 module.exports = function(options) {
   return function(req, res, next) {
     if (req.query.jwt) {
@@ -9,8 +11,12 @@ module.exports = function(options) {
         , redir = urlutil.removeParam(req.url, 'jwt')
       if (data) {
         // Redirect once to get rid of the token
-        req.session.jwt = data
-        res.redirect(redir)
+        dbapi.saveUserAfterLogin(data)
+          .then(function() {
+            req.session.jwt = data
+            res.redirect(redir)
+          })
+          .catch(next)
       }
       else {
         // Invalid token, forward to auth client
diff --git a/lib/roles/app.js b/lib/roles/app.js
index 6027e293..cd957a8c 100644
--- a/lib/roles/app.js
+++ b/lib/roles/app.js
@@ -6,7 +6,7 @@ var validator = require('express-validator')
 var logger = require('../util/logger')
 var pathutil = require('../util/pathutil')
 
-var jwt = require('../middleware/jwt')
+var auth = require('../middleware/auth')
 
 module.exports = function(options) {
   var log = logger.createLogger('app')
@@ -22,7 +22,7 @@ module.exports = function(options) {
     secret: options.secret
   , key: options.ssid
   }))
-  app.use(jwt({
+  app.use(auth({
     secret: options.secret
   , authUrl: options.authUrl
   }))