diff --git a/src/controllers/auth.controller.js b/src/controllers/auth.controller.js
index 74756f5..7c0192c 100644
--- a/src/controllers/auth.controller.js
+++ b/src/controllers/auth.controller.js
@@ -169,6 +169,27 @@ async function setTpin(req, res) {
   }
 }
 
+async function changeTpin(req, res) {
+  const customerNo = req.user;
+  try {
+    const user = await authService.findUserByCustomerNo(customerNo);
+    if (!user) return res.status(404).json({ error: 'USER_NOT_FOUND' });
+    if (!user.tpin)
+      return res.status(400).json({ error: 'USER_DOESNT_HAVE_A_TPIN' });
+    const { oldTpin, newTpin } = req.body;
+    if(oldTpin !== user.tpin)
+      return res.status(400).json({ error: 'TPIN_DOESNT_MATCH' });
+
+    if (!/^\d{6}$/.test(newTpin))
+      return res.status(400).json({ error: 'INVALID_TPIN_FORMAT' });
+    authService.setTpin(customerNo, tpin);
+    return res.json({ message: 'TPIN_SET' });
+  } catch (error) {
+    logger.error(error);
+    return res.status(500).json({ error: 'SOMETHING_WENT_WRONG' });
+  }
+}
+
 async function setLoginPassword(req, res) {
   const customerNo = req.user;
   try {
@@ -325,6 +346,7 @@ module.exports = {
   login,
   tpin,
   setTpin,
+  changeTpin,
   setLoginPassword,
   setTransactionPassword,
   fetchUserDetails,
diff --git a/src/routes/auth.route.js b/src/routes/auth.route.js
index 5bd61f6..c7d2c3a 100644
--- a/src/routes/auth.route.js
+++ b/src/routes/auth.route.js
@@ -8,12 +8,24 @@ router.post('/login', authController.login);
 router.get('/user_details', authenticate, authController.fetchUserDetails);
 router.get('/tpin', authenticate, authController.tpin);
 router.post('/tpin', authenticate, authController.setTpin);
+router.post('/change/tpin', authenticate, authController.changeTpin);
 router.post('/login_password', authenticate, authController.setLoginPassword);
-router.post('/transaction_password',authenticate,authController.setTransactionPassword);
-router.post('/change/login_password',authenticate,authController.changeLoginPassword);
-router.post('/change/transaction_password',authenticate,authController.changeTransPassword);
-router.get('/user_name',authenticate,authController.isUserNameExits);
-router.post('/user_name',authenticate,authController.setUserName);
-
+router.post(
+  '/transaction_password',
+  authenticate,
+  authController.setTransactionPassword
+);
+router.post(
+  '/change/login_password',
+  authenticate,
+  authController.changeLoginPassword
+);
+router.post(
+  '/change/transaction_password',
+  authenticate,
+  authController.changeTransPassword
+);
+router.get('/user_name', authenticate, authController.isUserNameExits);
+router.post('/user_name', authenticate, authController.setUserName);
 
 module.exports = router;