diff --git a/cmd/server/main.go b/cmd/server/main.go
index b706466..30c68c0 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -1,44 +1,56 @@
 package main
 
 import (
+	"html/template"
 	"log"
 	"net/http"
+
+	"github.com/rjnemo/auth/web"
 )
 
-var loggedIn = false
+var (
+	loggedIn  = false
+	templates = template.Must(template.ParseFS(web.Templates, "templates/index.html", "templates/in.html", "templates/unauthorized.html"))
+)
 
 func main() {
 	mux := http.NewServeMux()
 
-	mux.HandleFunc("GET /", func(w http.ResponseWriter, r *http.Request) {
-		http.ServeFile(w, r, "index.html")
-	})
-
-	mux.HandleFunc("GET /in", func(w http.ResponseWriter, r *http.Request) {
-		if loggedIn {
-			http.ServeFile(w, r, "in.html")
-		} else {
-			w.Header().Add("Content-Type", "text/html")
-			w.WriteHeader(http.StatusUnauthorized)
-			w.Write([]byte(`
-				<head>
-					<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@picocss/pico@2/css/pico.min.css" />
-				</head>
-				<body>
-					<main class="container">
-						<h1>Unauthorized</h1> <a href='/' role='button'> Back to safety </a>
-					</main>
-				</body>
-				`))
-		}
-	})
-
-	mux.HandleFunc("POST /login", func(w http.ResponseWriter, r *http.Request) {
-		log.Println("Login request received")
-		loggedIn = true
-		http.Redirect(w, r, "/in", http.StatusSeeOther)
-	})
+	mux.HandleFunc("GET /", handleIndex)
+	mux.HandleFunc("GET /in", handleIn)
+	mux.HandleFunc("POST /login", handleLogin)
 
 	log.Println("Starting server on http://localhost:8000")
-	http.ListenAndServe(":8000", mux)
+	if err := http.ListenAndServe(":8000", mux); err != nil {
+		log.Fatalf("listen: %v", err)
+	}
+}
+
+func handleIndex(w http.ResponseWriter, r *http.Request) {
+	err := templates.ExecuteTemplate(w, "index.html", nil)
+	if err != nil {
+		http.Error(w, "template render failed", http.StatusInternalServerError)
+	}
+}
+
+func handleIn(w http.ResponseWriter, r *http.Request) {
+	if !loggedIn {
+		w.WriteHeader(http.StatusUnauthorized)
+		err := templates.ExecuteTemplate(w, "unauthorized.html", nil)
+		if err != nil {
+			http.Error(w, "template render failed", http.StatusInternalServerError)
+		}
+		return
+	}
+
+	err := templates.ExecuteTemplate(w, "in.html", nil)
+	if err != nil {
+		http.Error(w, "template render failed", http.StatusInternalServerError)
+	}
+}
+
+func handleLogin(w http.ResponseWriter, r *http.Request) {
+	log.Println("Login request received")
+	loggedIn = true
+	http.Redirect(w, r, "/in", http.StatusSeeOther)
 }
diff --git a/web/embed.go b/web/embed.go
new file mode 100644
index 0000000..57a51e0
--- /dev/null
+++ b/web/embed.go
@@ -0,0 +1,8 @@
+package web
+
+import "embed"
+
+// Templates holds the embedded HTML templates.
+//
+//go:embed templates/*.html
+var Templates embed.FS
diff --git a/in.html b/web/templates/in.html
similarity index 100%
rename from in.html
rename to web/templates/in.html
diff --git a/index.html b/web/templates/index.html
similarity index 100%
rename from index.html
rename to web/templates/index.html
diff --git a/web/templates/unauthorized.html b/web/templates/unauthorized.html
new file mode 100644
index 0000000..211944a
--- /dev/null
+++ b/web/templates/unauthorized.html
@@ -0,0 +1,18 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="UTF-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>auth test</title>
+    <link
+      rel="stylesheet"
+      href="https://cdn.jsdelivr.net/npm/@picocss/pico@2/css/pico.min.css"
+    />
+  </head>
+  <body>
+    <main class="container">
+      <h1>Unauthorized</h1>
+      <a href="/" role="button">Back to safety</a>
+    </main>
+  </body>
+</html>