diff --git a/add_project.php b/add_project.php
index 92746d6..7975510 100644
--- a/add_project.php
+++ b/add_project.php
@@ -1,15 +1,22 @@
 <?php
 require 'db.php';
+require 'auth.php';
+
+header('Content-Type: application/json');
+require_login();
+
+$user_id = current_user_id();
 
 $data = json_decode(file_get_contents('php://input'), true);
-if (!isset($data['name']) || empty(trim($data['name']))) {
+$name = trim($data['name'] ?? '');
+
+if ($name === '') {
     http_response_code(400);
-    echo json_encode(['error' => 'Project name is required']);
+    echo json_encode(['success' => false, 'error' => 'Project name is required']);
     exit;
 }
 
-$stmt = $pdo->prepare("INSERT INTO projects (name) VALUES (?)");
-$stmt->execute([trim($data['name'])]);
+$stmt = $pdo->prepare("INSERT INTO projects (user_id, name) VALUES (?, ?)");
+$stmt->execute([$user_id, $name]);
 
 echo json_encode(['success' => true, 'id' => $pdo->lastInsertId()]);
-?>
diff --git a/add_subtask.php b/add_subtask.php
index f320d92..8889f99 100644
--- a/add_subtask.php
+++ b/add_subtask.php
@@ -1,18 +1,32 @@
 <?php
 require 'db.php';
+require 'auth.php';
+
+header('Content-Type: application/json');
+require_login();
+
+$user_id = current_user_id();
 
 $data = json_decode(file_get_contents('php://input'), true);
 $name = trim($data['name'] ?? '');
 $task_id = intval($data['task_id'] ?? 0);
 
 if ($name === '' || $task_id <= 0) {
-	http_response_code(400);
-	echo json_encode(['error' => 'Invalid input']);
-	exit;
+    http_response_code(400);
+    echo json_encode(['success' => false, 'error' => 'Invalid input']);
+    exit;
 }
 
-$stmt = $pdo->prepare("INSERT INTO subtasks (task_id, name) VALUES (?, ?)");
-$stmt->execute([$task_id, $name]);
+// Ensure task belongs to this user
+$stmt = $pdo->prepare("SELECT id FROM tasks WHERE id = ? AND user_id = ? LIMIT 1");
+$stmt->execute([$task_id, $user_id]);
+if (!$stmt->fetchColumn()) {
+    http_response_code(403);
+    echo json_encode(['success' => false, 'error' => 'Forbidden']);
+    exit;
+}
+
+$stmt = $pdo->prepare("INSERT INTO subtasks (user_id, task_id, name) VALUES (?, ?, ?)");
+$stmt->execute([$user_id, $task_id, $name]);
 
 echo json_encode(['success' => true, 'id' => $pdo->lastInsertId()]);
-?>
diff --git a/add_task.php b/add_task.php
index 8119ffd..57c709c 100644
--- a/add_task.php
+++ b/add_task.php
@@ -1,5 +1,11 @@
 <?php
 require 'db.php';
+require 'auth.php';
+
+header('Content-Type: application/json');
+require_login();
+
+$user_id = current_user_id();
 
 $data = json_decode(file_get_contents('php://input'), true);
 $name = trim($data['name'] ?? '');
@@ -7,12 +13,20 @@ $project_id = intval($data['project_id'] ?? 0);
 
 if ($name === '' || $project_id <= 0) {
     http_response_code(400);
-    echo json_encode(['error' => 'Invalid input']);
+    echo json_encode(['success' => false, 'error' => 'Invalid input']);
     exit;
 }
 
-$stmt = $pdo->prepare("INSERT INTO tasks (project_id, name) VALUES (?, ?)");
-$stmt->execute([$project_id, $name]);
+// Ensure project belongs to this user
+$stmt = $pdo->prepare("SELECT id FROM projects WHERE id = ? AND user_id = ? LIMIT 1");
+$stmt->execute([$project_id, $user_id]);
+if (!$stmt->fetchColumn()) {
+    http_response_code(403);
+    echo json_encode(['success' => false, 'error' => 'Forbidden']);
+    exit;
+}
+
+$stmt = $pdo->prepare("INSERT INTO tasks (user_id, project_id, name) VALUES (?, ?, ?)");
+$stmt->execute([$user_id, $project_id, $name]);
 
 echo json_encode(['success' => true, 'id' => $pdo->lastInsertId()]);
-?>
diff --git a/auth.php b/auth.php
new file mode 100644
index 0000000..88ff806
--- /dev/null
+++ b/auth.php
@@ -0,0 +1,36 @@
+<?php
+// auth.php
+if (session_status() === PHP_SESSION_NONE) {
+    session_start();
+}
+
+function is_logged_in(): bool {
+    return isset($_SESSION['user']) && isset($_SESSION['user']['id']);
+}
+
+function current_user_id(): int {
+    return intval($_SESSION['user']['id'] ?? 0);
+}
+
+function current_user_can_manage_settings(): bool {
+    return !empty($_SESSION['user']['can_manage_settings']);
+}
+
+function require_login(): void {
+    if (!is_logged_in()) {
+        http_response_code(401);
+        header('Content-Type: application/json');
+        echo json_encode(['success' => false, 'error' => 'Not authenticated']);
+        exit;
+    }
+}
+
+function require_can_manage_settings(): void {
+    require_login();
+    if (!current_user_can_manage_settings()) {
+        http_response_code(403);
+        header('Content-Type: application/json');
+        echo json_encode(['success' => false, 'error' => 'Forbidden']);
+        exit;
+    }
+}
diff --git a/delete_project.php b/delete_project.php
index d900e92..ad37160 100644
--- a/delete_project.php
+++ b/delete_project.php
@@ -1,6 +1,11 @@
 <?php
 require 'db.php';
+require 'auth.php';
+
+require_login();
+$user_id = current_user_id();
+
 $id = intval($_GET['id'] ?? 0);
 if ($id > 0) {
-	$pdo->prepare("DELETE FROM projects WHERE id = ?")->execute([$id]);
+    $pdo->prepare("DELETE FROM projects WHERE id = ? AND user_id = ?")->execute([$id, $user_id]);
 }
diff --git a/delete_subtask.php b/delete_subtask.php
index 32649c5..8282217 100644
--- a/delete_subtask.php
+++ b/delete_subtask.php
@@ -1,6 +1,11 @@
 <?php
 require 'db.php';
+require 'auth.php';
+
+require_login();
+$user_id = current_user_id();
+
 $id = intval($_GET['id'] ?? 0);
 if ($id > 0) {
-	$pdo->prepare("DELETE FROM subtasks WHERE id = ?")->execute([$id]);
+    $pdo->prepare("DELETE FROM subtasks WHERE id = ? AND user_id = ?")->execute([$id, $user_id]);
 }
diff --git a/delete_task.php b/delete_task.php
index d7265e3..6beb327 100644
--- a/delete_task.php
+++ b/delete_task.php
@@ -1,6 +1,11 @@
 <?php
 require 'db.php';
+require 'auth.php';
+
+require_login();
+$user_id = current_user_id();
+
 $id = intval($_GET['id'] ?? 0);
 if ($id > 0) {
-	$pdo->prepare("DELETE FROM tasks WHERE id = ?")->execute([$id]);
+    $pdo->prepare("DELETE FROM tasks WHERE id = ? AND user_id = ?")->execute([$id, $user_id]);
 }
diff --git a/get_data.php b/get_data.php
index 72446e9..4955210 100644
--- a/get_data.php
+++ b/get_data.php
@@ -1,19 +1,26 @@
 <?php
 require 'db.php';
+require 'auth.php';
 
-$projects = $pdo->query("SELECT * FROM projects ORDER BY sort_order ASC")->fetchAll();
+header('Content-Type: application/json');
+require_login();
+
+$user_id = current_user_id();
+
+$stmt = $pdo->prepare("SELECT * FROM projects WHERE user_id = ? ORDER BY sort_order ASC");
+$stmt->execute([$user_id]);
+$projects = $stmt->fetchAll();
 
 foreach ($projects as &$project) {
-    $stmt = $pdo->prepare("SELECT * FROM tasks WHERE project_id = ? ORDER BY created_at");
-    $stmt->execute([$project['id']]);
+    $stmt = $pdo->prepare("SELECT * FROM tasks WHERE project_id = ? AND user_id = ? ORDER BY created_at");
+    $stmt->execute([$project['id'], $user_id]);
     $project['tasks'] = $stmt->fetchAll();
 
     foreach ($project['tasks'] as &$task) {
-        $stmt = $pdo->prepare("SELECT * FROM subtasks WHERE task_id = ? ORDER BY created_at");
-        $stmt->execute([$task['id']]);
+        $stmt = $pdo->prepare("SELECT * FROM subtasks WHERE task_id = ? AND user_id = ? ORDER BY created_at");
+        $stmt->execute([$task['id'], $user_id]);
         $task['subtasks'] = $stmt->fetchAll();
     }
 }
 
-echo json_encode($projects);
-?>
+echo json_encode($projects);
\ No newline at end of file
diff --git a/index.php b/index.php
index b5db406..c532392 100644
--- a/index.php
+++ b/index.php
@@ -343,24 +343,78 @@
     </div>
   </div>
 
-<!-- Modal: Confirmation -->
-<div class="modal fade" id="confirmationModal" tabindex="-1" aria-hidden="true">
-  <div class="modal-dialog modal-dialog-centered">
-    <div class="modal-content">
-      <div class="modal-header">
-        <h5 class="modal-title">Confirm Action</h5>
-        <button type="button" class="btn-close" data-bs-dismiss="modal"></button>
-      </div>
-      <div class="modal-body" id="confirmationModalBody">
-        Are you sure you want to continue?
-      </div>
-      <div class="modal-footer">
-        <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Cancel</button>
-        <button type="button" class="btn btn-danger" id="confirmModalYes">Yes</button>
+  <!-- Modal: Confirmation -->
+  <div class="modal fade" id="confirmationModal" tabindex="-1" aria-hidden="true">
+    <div class="modal-dialog modal-dialog-centered">
+      <div class="modal-content">
+        <div class="modal-header">
+          <h5 class="modal-title">Confirm Action</h5>
+          <button type="button" class="btn-close" data-bs-dismiss="modal"></button>
+        </div>
+        <div class="modal-body" id="confirmationModalBody">
+          Are you sure you want to continue?
+        </div>
+        <div class="modal-footer">
+          <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">Cancel</button>
+          <button type="button" class="btn btn-danger" id="confirmModalYes">Yes</button>
+        </div>
       </div>
     </div>
   </div>
-</div>
+
+  <!-- Modal: Login -->
+  <div class="modal fade" id="loginModal" tabindex="-1" aria-hidden="true" data-bs-backdrop="static" data-bs-keyboard="false">
+    <div class="modal-dialog modal-dialog-centered">
+      <form id="loginForm" class="modal-content">
+        <div class="modal-header">
+          <h5 class="modal-title">Sign In</h5>
+        </div>
+        <div class="modal-body">
+          <div class="mb-3">
+            <label class="form-label">Email</label>
+            <input type="email" class="form-control" id="loginEmail" required>
+          </div>
+          <div class="mb-3">
+            <label class="form-label">Password</label>
+            <input type="password" class="form-control" id="loginPassword" required>
+          </div>
+          <div class="text-danger" id="loginError" style="display:none;"></div>
+        </div>
+        <div class="modal-footer d-flex justify-content-between w-100">
+          <button type="button" class="btn btn-outline-secondary" id="showRegisterBtn">Create account</button>
+          <button type="submit" class="btn btn-primary">Sign In</button>
+        </div>
+      </form>
+    </div>
+  </div>
+
+  <!-- Modal: Register -->
+  <div class="modal fade" id="registerModal" tabindex="-1" aria-hidden="true">
+    <div class="modal-dialog modal-dialog-centered">
+      <form id="registerForm" class="modal-content">
+        <div class="modal-header">
+          <h5 class="modal-title">Create Account</h5>
+          <button type="button" class="btn-close" data-bs-dismiss="modal"></button>
+        </div>
+        <div class="modal-body">
+          <div class="mb-3">
+            <label class="form-label">Email</label>
+            <input type="email" class="form-control" id="registerEmail" required>
+          </div>
+          <div class="mb-3">
+            <label class="form-label">Password (8+ chars)</label>
+            <input type="password" class="form-control" id="registerPassword" required minlength="8">
+          </div>
+          <div class="text-danger" id="registerError" style="display:none;"></div>
+          <div class="text-success" id="registerSuccess" style="display:none;"></div>
+        </div>
+        <div class="modal-footer d-flex justify-content-between w-100">
+          <button type="button" class="btn btn-outline-secondary" id="backToLoginBtn">Back</button>
+          <button type="submit" class="btn btn-primary">Create</button>
+        </div>
+      </form>
+    </div>
+  </div>
 
 
   <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.0/dist/js/bootstrap.bundle.min.js"></script>
diff --git a/login.php b/login.php
new file mode 100644
index 0000000..1f24908
--- /dev/null
+++ b/login.php
@@ -0,0 +1,44 @@
+<?php
+require 'db.php';
+require 'auth.php';
+
+header('Content-Type: application/json');
+
+$data = json_decode(file_get_contents('php://input'), true);
+$email = strtolower(trim($data['email'] ?? ''));
+$password = strval($data['password'] ?? '');
+
+$stmt = $pdo->prepare("
+    SELECT u.id, u.email, u.password_hash,
+           r.name AS role_name,
+           r.can_manage_settings
+    FROM users u
+    JOIN roles r ON r.id = u.role_id
+    WHERE u.email = ?
+    LIMIT 1
+");
+$stmt->execute([$email]);
+$user = $stmt->fetch(PDO::FETCH_ASSOC);
+
+if (!$user || !password_verify($password, $user['password_hash'])) {
+    http_response_code(401);
+    echo json_encode(['success' => false, 'error' => 'Invalid credentials']);
+    exit;
+}
+
+$_SESSION['user'] = [
+    'id' => intval($user['id']),
+    'email' => $user['email'],
+    'role' => $user['role_name'],
+    'can_manage_settings' => intval($user['can_manage_settings']),
+];
+
+echo json_encode([
+    'success' => true,
+    'user' => [
+        'id' => $_SESSION['user']['id'],
+        'email' => $_SESSION['user']['email'],
+        'role' => $_SESSION['user']['role'],
+        'can_manage_settings' => $_SESSION['user']['can_manage_settings'],
+    ]
+]);
diff --git a/logout.php b/logout.php
new file mode 100644
index 0000000..87b2e25
--- /dev/null
+++ b/logout.php
@@ -0,0 +1,8 @@
+<?php
+require 'auth.php';
+header('Content-Type: application/json');
+
+$_SESSION = [];
+session_destroy();
+
+echo json_encode(['success' => true]);
diff --git a/me.php b/me.php
new file mode 100644
index 0000000..057b324
--- /dev/null
+++ b/me.php
@@ -0,0 +1,18 @@
+<?php
+require 'auth.php';
+header('Content-Type: application/json');
+
+if (!is_logged_in()) {
+    echo json_encode(['logged_in' => false]);
+    exit;
+}
+
+echo json_encode([
+    'logged_in' => true,
+    'user' => [
+        'id' => intval($_SESSION['user']['id']),
+        'email' => $_SESSION['user']['email'],
+        'role' => $_SESSION['user']['role'],
+        'can_manage_settings' => intval($_SESSION['user']['can_manage_settings']),
+    ]
+]);
diff --git a/register.php b/register.php
new file mode 100644
index 0000000..49d6020
--- /dev/null
+++ b/register.php
@@ -0,0 +1,42 @@
+<?php
+require 'db.php';
+require 'auth.php';
+
+header('Content-Type: application/json');
+
+$data = json_decode(file_get_contents('php://input'), true);
+$email = strtolower(trim($data['email'] ?? ''));
+$password = strval($data['password'] ?? '');
+
+if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
+    http_response_code(400);
+    echo json_encode(['success' => false, 'error' => 'Invalid email']);
+    exit;
+}
+if (strlen($password) < 8) {
+    http_response_code(400);
+    echo json_encode(['success' => false, 'error' => 'Password must be at least 8 characters']);
+    exit;
+}
+
+$hash = password_hash($password, PASSWORD_DEFAULT);
+
+// Standard role id from roles table
+$stmt = $pdo->prepare("SELECT id FROM roles WHERE name = 'standard' LIMIT 1");
+$stmt->execute();
+$role_id = intval($stmt->fetchColumn());
+
+if ($role_id <= 0) {
+    http_response_code(500);
+    echo json_encode(['success' => false, 'error' => "Role 'standard' not found"]);
+    exit;
+}
+
+try {
+    $stmt = $pdo->prepare("INSERT INTO users (email, password_hash, role_id) VALUES (?, ?, ?)");
+    $stmt->execute([$email, $hash, $role_id]);
+    echo json_encode(['success' => true]);
+} catch (Throwable $e) {
+    http_response_code(409);
+    echo json_encode(['success' => false, 'error' => 'Account already exists']);
+}
diff --git a/reset_settings.php b/reset_settings.php
index f7ac3b2..815b099 100644
--- a/reset_settings.php
+++ b/reset_settings.php
@@ -1,6 +1,11 @@
 <?php
 require 'db.php';
+require 'auth.php';
+
+header('Content-Type: application/json');
+require_can_manage_settings();
+
 $stmt = $pdo->prepare("UPDATE settings SET title = 'tinyTask', icon_class = 'kanban', icon_color = '#ff0000' WHERE id = 1");
 $stmt->execute();
+
 echo json_encode(['success' => true]);
-?>
diff --git a/update_project_order.php b/update_project_order.php
index ff32701..23c9f96 100644
--- a/update_project_order.php
+++ b/update_project_order.php
@@ -1,25 +1,27 @@
 <?php
 require 'db.php';
+require 'auth.php';
 
 header('Content-Type: application/json');
 
-$data = json_decode(file_get_contents('php://input'), true);
+require_login();
+$user_id = current_user_id();
 
+$data = json_decode(file_get_contents('php://input'), true);
 if (!$data || !is_array($data)) {
   echo json_encode(['success' => false, 'message' => 'Invalid input']);
   exit;
 }
 
-$stmt = $pdo->prepare("UPDATE projects SET sort_order = ? WHERE id = ?");
+$stmt = $pdo->prepare("UPDATE projects SET sort_order = ? WHERE id = ? AND user_id = ?");
 
 foreach ($data as $item) {
-  $id = $item['id'];
-  $order = $item['order'];
+  $id = $item['id'] ?? null;
+  $order = $item['order'] ?? null;
 
   if (!is_numeric($id) || !is_numeric($order)) continue;
 
-  $stmt->execute([$order, $id]);
+  $stmt->execute([(int)$order, (int)$id, $user_id]);
 }
 
 echo json_encode(['success' => true]);
-exit;
diff --git a/update_settings.php b/update_settings.php
index 3b0c1b1..d524977 100644
--- a/update_settings.php
+++ b/update_settings.php
@@ -1,13 +1,17 @@
 <?php
 require 'db.php';
+require 'auth.php';
+
+header('Content-Type: application/json');
+require_can_manage_settings();
+
 $data = json_decode(file_get_contents('php://input'), true);
 
 $title = $data['title'] ?? 'tinyTask';
-$icon = $data['icon_class'] ?? 'kanban';
+$icon  = $data['icon_class'] ?? 'kanban';
 $color = $data['icon_color'] ?? '#ff0000';
 
 $stmt = $pdo->prepare("UPDATE settings SET title = ?, icon_class = ?, icon_color = ? WHERE id = 1");
 $stmt->execute([$title, $icon, $color]);
 
 echo json_encode(['success' => true]);
-?>
diff --git a/update_task_order.php b/update_task_order.php
index fe599fc..14e1493 100644
--- a/update_task_order.php
+++ b/update_task_order.php
@@ -1,11 +1,25 @@
 <?php
-require 'db.php'; // Adjust path if needed
+require 'db.php';
+require 'auth.php';
 
-$data = json_decode(file_get_contents("php://input"), true);
+header('Content-Type: application/json');
 
-if (isset($data['task_ids']) && is_array($data['task_ids'])) {
-    $stmt = $pdo->prepare("UPDATE tasks SET task_order = ? WHERE id = ?");
-    foreach ($data['task_ids'] as $order => $id) {
-        $stmt->execute([$order, $id]);
-    }
-    echo json_encode
+require_login();
+$user_id = current_user_id();
+
+$data = json_decode(file_get_contents('php://input'), true);
+if (!$data || !is_array($data)) {
+    echo json_encode(['success' => false, 'message' => 'Invalid input']);
+    exit;
+}
+
+$stmt = $pdo->prepare("UPDATE tasks SET task_order = ? WHERE id = ? AND user_id = ?");
+
+foreach ($data as $item) {
+    $id = $item['id'] ?? null;
+    $order = $item['order'] ?? null;
+    if (!is_numeric($id) || !is_numeric($order)) continue;
+    $stmt->execute([(int)$order, (int)$id, $user_id]);
+}
+
+echo json_encode(['success' => true]);