diff --git a/rowers/templates/rower_exportsettings.html b/rowers/templates/rower_exportsettings.html
index a62ad6a2..5d1180f8 100644
--- a/rowers/templates/rower_exportsettings.html
+++ b/rowers/templates/rower_exportsettings.html
@@ -89,6 +89,10 @@
   <p><a href="/rowers/me/rojaboauthorize"><img src="/static/img/rojabo.png"
     alt="connect with Rojabo" width="130"></a></p>
 
+{% if user.is_staff %}
+<p><a href="/rowers/me/idokladauthorize/">iDoklad authorize</a></p>
+{% endif %}
+
 
 {% endblock %}
 
diff --git a/rowers/urls.py b/rowers/urls.py
index 18b28d66..5691b5c3 100644
--- a/rowers/urls.py
+++ b/rowers/urls.py
@@ -745,6 +745,7 @@ urlpatterns = [
             views.rower_prefs_view, name='rower_prefs_view'),
     re_path(r'^me/prefs/user/(?P<userid>\d+)/$',
             views.rower_simpleprefs_view, name='rower_simpleprefs_view'),
+    re_path(r'^me/idokladauthorize/$', views.rower_idoklad_authorize, name='rower_idoklad_authorize'),
     re_path(r'^me/rojaboauthorize/$', views.rower_rojabo_authorize,
             name='rower_rojabo_authorize'),
     re_path(r'^me/polarauthorize/$', views.rower_polar_authorize,
diff --git a/rowers/views/paymentviews.py b/rowers/views/paymentviews.py
index 6efb02d8..f69942b0 100644
--- a/rowers/views/paymentviews.py
+++ b/rowers/views/paymentviews.py
@@ -9,7 +9,7 @@ from django.core.mail import EmailMessage
 from rowers import credits
 
 @login_required()
-def rower_idoklad_auth(request):
+def rower_idoklad_authorize(request):
     state=str(uuid4())
     
     params = {
@@ -23,6 +23,7 @@ def rower_idoklad_auth(request):
     
     return HttpResponseRedirect(url)
 
+@login_required()
 def process_idokladcallback(request):
     dologging('idoklad.log',' /rowers/idokladcallback/')
 
@@ -33,9 +34,45 @@ def process_idokladcallback(request):
         messages.error(request,error)
         return HttpResponseRedirect(reverse('workouts_view'))
 
-    
-    
-    return HttpResponse('')
+    post_data = {
+        'grant_type': "authorization_code",
+        'client_id': IDOKLAD_CLIENT_ID,
+        'client_secret': IDOKLAD_CLIENT_SECRET,
+        'scope': 'idoklad_api offline_access',
+        'code': code,
+        'redirect_uri': IDOKLAD_REDIRECT_URI,
+    }
+
+    headers = {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        }
+
+    base_url = 'https://identity.idoklad.cz/server/connect/token'
+
+    response = requests.post(base_url, data=post_data, headers=headers)
+
+    if response.status_code == 200:
+        result = response.json()
+        try:
+            t = iDokladToken.objects.get(id=1)
+            t.acces_token = result['access_token'],
+            t.refresh_token = result['refresh_token']
+            t.expires_in = result['expires_in']
+            t.save()
+        except iDokladToken.DoesNotExist:
+            t = iDokladToken(
+                access_token = result['access_token'],
+                refresh_token = result['refresh_token'],
+                expires_in = result['expires_in'],
+            )
+            t.save()
+        messages.info(request,"Token refreshed and stored")
+    else:
+        messages.error(request,"Error")
+
+    url = reverse('rower_exportsettings_view')
+            
+    return HttpResponseRedirect(url)
 
 @csrf_exempt
 def braintree_webhook_view(request):
diff --git a/rowers/views/statements.py b/rowers/views/statements.py
index d134013d..d4b675f0 100644
--- a/rowers/views/statements.py
+++ b/rowers/views/statements.py
@@ -178,7 +178,7 @@ from rowers.models import ( RowerPowerForm, RowerHRZonesForm, SimpleRowerPowerFo
                             IndoorVirtualRaceForm, PlannedSessionCommentForm, Alert,
                             Condition, StaticChartRowerForm, FollowerForm,
                             VirtualRaceAthleteForm, InstantPlanForm, DataRowerForm,
-                            StepEditorForm, )
+                            StepEditorForm, iDokladToken )
 from rowers.models import (
     FavoriteForm, BaseFavoriteFormSet, SiteAnnouncement, BasePlannedSessionFormSet,
     get_course_timezone, BaseConditionFormSet,
@@ -225,6 +225,7 @@ from rowsandall_app.settings import (
     RECAPTCHA_SITE_KEY, RECAPTCHA_SITE_SECRET,
     NK_REDIRECT_URI, NK_CLIENT_ID, NK_CLIENT_SECRET,
     ROJABO_REDIRECT_URI, ROJABO_CLIENT_ID, ROJABO_CLIENT_SECRET,
+    IDOKLAD_REDIRECT_URI, IDOKLAD_CLIENT_ID, IDOKLAD_CLIENT_SECRET,
 )
 
 from django.contrib import messages
diff --git a/rowsandall_app/settings.py b/rowsandall_app/settings.py
index e3fe4e50..7cbfe5dc 100644
--- a/rowsandall_app/settings.py
+++ b/rowsandall_app/settings.py
@@ -97,6 +97,8 @@ AUTHENTICATION_BACKENDS = (
     #'rules.permissions.ObjectPermissionBackend',
 )
 
+CSRF_TRUSTED_ORIGINS = ['https://rowsandall.com', 'https://www.rowsandall.com', 'http://localhost', 'https://dunav.ngrok.io']
+
 MIDDLEWARE = [
     'django.middleware.common.CommonMiddleware',
     'django.middleware.common.BrokenLinkEmailsMiddleware',
@@ -600,9 +602,11 @@ except KeyError:  # pragma: no cover
 try:
     IDOKLAD_CLIENT_ID = CFG['idoklad_client_id']
     IDOKLAD_CLIENT_SECRET = CFG['idoklad_client_secret']
+    IDOKLAD_REDIRECT_URI = CFG['idoklad_redirect_uri'] 
 except KeyError:  # pragma: no cover
     IDOKLAD_CLIENT_ID = ''
     IDOKLAD_CLIENT_SECRET = ''
+    IDOKLAD_REDIRECT_URI = ''
     
 
 # ID obfuscation