diff --git a/app/controllers/messages_controller.rb b/app/controllers/messages_controller.rb
new file mode 100644
index 0000000..7422c16
--- /dev/null
+++ b/app/controllers/messages_controller.rb
@@ -0,0 +1,25 @@
+class MessagesController < ApplicationController
+  allow_unauthenticated_access
+  skip_before_action :verify_authenticity_token
+
+  def create
+    skip_authorization
+
+    @message_params = message_params
+    @contest = Contest.find_by_token_for(:token, params[:token])
+    @message = Message.new(text: params[:text], time_seconds: params[:time_seconds], contest: @contest)
+    if @contest && @message.save
+      respond_to do |format|
+        format.json  { render json: {}, status: 200 }
+      end
+    else
+      respond_to do |format|
+        format.json  { render json: { error: "invalid contest token" }, status: 400 }
+      end
+    end
+  end
+
+  def message_params
+    params.expect(message: [ :text, :time_seconds, :token ])
+  end
+end
diff --git a/app/models/contest.rb b/app/models/contest.rb
index 64e411c..addd177 100644
--- a/app/models/contest.rb
+++ b/app/models/contest.rb
@@ -27,8 +27,11 @@ class Contest < ApplicationRecord
   has_many :completions, dependent: :destroy
   has_many :contestants, dependent: :destroy
   has_many :puzzles, dependent: :destroy
+  has_many :messages
 
   friendly_id :name, use: :slugged
 
   validates :name, presence: true
+
+  generates_token_for :token
 end
diff --git a/config/routes.rb b/config/routes.rb
index 73b87f1..8ec8148 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -17,5 +17,7 @@ Rails.application.routes.draw do
   resource :session
   resources :users
 
+  post "message", to: "messages#create"
+
   get "public/:id", to: "contests#scoreboard"
 end