diff --git a/backend/app/Auth/BcryptPasswordHasher.php b/backend/app/Auth/BcryptPasswordHasher.php
new file mode 100644
index 0000000..0bc4a46
--- /dev/null
+++ b/backend/app/Auth/BcryptPasswordHasher.php
@@ -0,0 +1,16 @@
+<?php
+
+namespace App\Auth;
+
+class BcryptPasswordHasher implements PasswordHasher
+{
+    public function hash(string $password): string
+    {
+        return password_hash($password, PASSWORD_DEFAULT);
+    }
+
+    public function verify(string $password, string $hash): bool
+    {
+        return password_verify($password, $hash);
+    }
+}
diff --git a/backend/app/Auth/Clock.php b/backend/app/Auth/Clock.php
new file mode 100644
index 0000000..b96ad32
--- /dev/null
+++ b/backend/app/Auth/Clock.php
@@ -0,0 +1,10 @@
+<?php
+
+namespace App\Auth;
+
+use DateTimeImmutable;
+
+interface Clock
+{
+    public function now(): DateTimeImmutable;
+}
diff --git a/backend/app/Auth/CreateSessionDto.php b/backend/app/Auth/CreateSessionDto.php
new file mode 100644
index 0000000..2e5e2f7
--- /dev/null
+++ b/backend/app/Auth/CreateSessionDto.php
@@ -0,0 +1,16 @@
+<?php
+
+namespace App\Auth;
+
+use App\User\User;
+use DateTimeImmutable;
+
+class CreateSessionDto
+{
+    public function __construct(
+        public string $token,
+        public User $user,
+        public DateTimeImmutable $createdAt,
+        public DateTimeImmutable $expiresAt,
+    ) {}
+}
diff --git a/backend/app/Auth/PasswordHasher.php b/backend/app/Auth/PasswordHasher.php
new file mode 100644
index 0000000..ab57a41
--- /dev/null
+++ b/backend/app/Auth/PasswordHasher.php
@@ -0,0 +1,10 @@
+<?php
+
+namespace App\Auth;
+
+interface PasswordHasher
+{
+    public function hash(string $password): string;
+
+    public function verify(string $password, string $hash): bool;
+}
diff --git a/backend/app/Auth/RandomTokenGenerator.php b/backend/app/Auth/RandomTokenGenerator.php
new file mode 100644
index 0000000..0615bff
--- /dev/null
+++ b/backend/app/Auth/RandomTokenGenerator.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace App\Auth;
+
+class RandomTokenGenerator implements TokenGenerator
+{
+    public function generate(): string
+    {
+        return bin2hex(random_bytes(32));
+    }
+}
diff --git a/backend/app/Auth/Session.php b/backend/app/Auth/Session.php
new file mode 100644
index 0000000..b433114
--- /dev/null
+++ b/backend/app/Auth/Session.php
@@ -0,0 +1,41 @@
+<?php
+
+namespace App\Auth;
+
+use App\User\User;
+use DateTimeImmutable;
+
+class Session
+{
+    public function __construct(
+        private string $token,
+        private User $user,
+        private DateTimeImmutable $createdAt,
+        private DateTimeImmutable $expiresAt,
+    ) {}
+
+    public function getToken(): string
+    {
+        return $this->token;
+    }
+
+    public function getUser(): User
+    {
+        return $this->user;
+    }
+
+    public function getCreatedAt(): DateTimeImmutable
+    {
+        return $this->createdAt;
+    }
+
+    public function getExpiresAt(): DateTimeImmutable
+    {
+        return $this->expiresAt;
+    }
+
+    public function isExpired(DateTimeImmutable $now): bool
+    {
+        return $now >= $this->expiresAt;
+    }
+}
diff --git a/backend/app/Auth/SessionRepository.php b/backend/app/Auth/SessionRepository.php
new file mode 100644
index 0000000..cabae60
--- /dev/null
+++ b/backend/app/Auth/SessionRepository.php
@@ -0,0 +1,12 @@
+<?php
+
+namespace App\Auth;
+
+interface SessionRepository
+{
+    public function create(CreateSessionDto $dto): Session;
+
+    public function findByToken(string $token): ?Session;
+
+    public function deleteByToken(string $token): void;
+}
diff --git a/backend/app/Auth/SystemClock.php b/backend/app/Auth/SystemClock.php
new file mode 100644
index 0000000..dd77c28
--- /dev/null
+++ b/backend/app/Auth/SystemClock.php
@@ -0,0 +1,14 @@
+<?php
+
+namespace App\Auth;
+
+use DateTimeImmutable;
+use DateTimeZone;
+
+class SystemClock implements Clock
+{
+    public function now(): DateTimeImmutable
+    {
+        return new DateTimeImmutable('now', new DateTimeZone('UTC'));
+    }
+}
diff --git a/backend/app/Auth/TokenGenerator.php b/backend/app/Auth/TokenGenerator.php
new file mode 100644
index 0000000..39b4263
--- /dev/null
+++ b/backend/app/Auth/TokenGenerator.php
@@ -0,0 +1,8 @@
+<?php
+
+namespace App\Auth;
+
+interface TokenGenerator
+{
+    public function generate(): string;
+}
diff --git a/backend/app/Exceptions/BadRequestException.php b/backend/app/Exceptions/BadRequestException.php
new file mode 100644
index 0000000..b900f47
--- /dev/null
+++ b/backend/app/Exceptions/BadRequestException.php
@@ -0,0 +1,7 @@
+<?php
+
+namespace App\Exceptions;
+
+use DomainException;
+
+class BadRequestException extends DomainException {}
diff --git a/backend/app/Exceptions/UnauthorizedException.php b/backend/app/Exceptions/UnauthorizedException.php
new file mode 100644
index 0000000..f5d406e
--- /dev/null
+++ b/backend/app/Exceptions/UnauthorizedException.php
@@ -0,0 +1,7 @@
+<?php
+
+namespace App\Exceptions;
+
+use DomainException;
+
+class UnauthorizedException extends DomainException {}
diff --git a/backend/app/Shared/ValueObject/EmailAddress.php b/backend/app/Shared/ValueObject/EmailAddress.php
new file mode 100644
index 0000000..a744918
--- /dev/null
+++ b/backend/app/Shared/ValueObject/EmailAddress.php
@@ -0,0 +1,54 @@
+<?php
+
+namespace App\Shared\ValueObject;
+
+use InvalidArgumentException;
+
+final readonly class EmailAddress
+{
+    private string $normalized;
+
+    private string $domain;
+
+    private const ERROR_MESSAGE = 'Invalid email address:';
+
+    public function __construct(string $email)
+    {
+
+        $trimmed = trim($email);
+
+        if ($trimmed === '' || ! str_contains($trimmed, '@')) {
+            throw new InvalidArgumentException(self::ERROR_MESSAGE." $email");
+        }
+
+        [$local, $domain] = explode('@', $trimmed, 2);
+        $this->domain = mb_strtolower($domain);
+        $normalized = $local.'@'.$this->domain;
+
+        if (filter_var($normalized, FILTER_VALIDATE_EMAIL) === false) {
+            throw new InvalidArgumentException(self::ERROR_MESSAGE." $email");
+        }
+
+        $this->normalized = $normalized;
+    }
+
+    public function value(): string
+    {
+        return $this->normalized;
+    }
+
+    public function equals(self $other): bool
+    {
+        return $this->normalized === $other->normalized;
+    }
+
+    public function getDomain(): string
+    {
+        return $this->domain;
+    }
+
+    public function __toString(): string
+    {
+        return $this->normalized;
+    }
+}
diff --git a/backend/app/User/CreateUserDto.php b/backend/app/User/CreateUserDto.php
new file mode 100644
index 0000000..d10b373
--- /dev/null
+++ b/backend/app/User/CreateUserDto.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace App\User;
+
+use App\Shared\ValueObject\EmailAddress;
+
+class CreateUserDto
+{
+    public function __construct(
+        public EmailAddress $email,
+        public string $passwordHash,
+    ) {}
+}
diff --git a/backend/app/User/User.php b/backend/app/User/User.php
new file mode 100644
index 0000000..3d8ed63
--- /dev/null
+++ b/backend/app/User/User.php
@@ -0,0 +1,29 @@
+<?php
+
+namespace App\User;
+
+use App\Shared\ValueObject\EmailAddress;
+
+class User
+{
+    public function __construct(
+        private int $id,
+        private EmailAddress $email,
+        private string $passwordHash,
+    ) {}
+
+    public function getId(): int
+    {
+        return $this->id;
+    }
+
+    public function getEmail(): EmailAddress
+    {
+        return $this->email;
+    }
+
+    public function getPasswordHash(): string
+    {
+        return $this->passwordHash;
+    }
+}
diff --git a/backend/app/User/UserRepository.php b/backend/app/User/UserRepository.php
new file mode 100644
index 0000000..975b50d
--- /dev/null
+++ b/backend/app/User/UserRepository.php
@@ -0,0 +1,14 @@
+<?php
+
+namespace App\User;
+
+use App\Shared\ValueObject\EmailAddress;
+
+interface UserRepository
+{
+    public function create(CreateUserDto $dto): User;
+
+    public function findByEmail(EmailAddress $email): ?User;
+
+    public function find(int $id): ?User;
+}
diff --git a/backend/config/container.php b/backend/config/container.php
new file mode 100644
index 0000000..d01341b
--- /dev/null
+++ b/backend/config/container.php
@@ -0,0 +1,37 @@
+<?php
+
+use App\Auth\BcryptPasswordHasher;
+use App\Auth\Clock;
+use App\Auth\PasswordHasher;
+use App\Auth\RandomTokenGenerator;
+use App\Auth\SystemClock;
+use App\Auth\TokenGenerator;
+use App\Auth\UseCases\AuthenticateUser\AuthenticateUser;
+use App\Auth\UseCases\CreateSession\CreateSession;
+use App\Auth\UseCases\Logout\Logout;
+use App\Controllers\AuthController;
+use App\Middleware\AuthMiddleware;
+use DI\ContainerBuilder;
+use Psr\Container\ContainerInterface;
+
+$builder = new ContainerBuilder();
+
+$builder->addDefinitions([
+
+    // Services
+    PasswordHasher::class => DI\create(BcryptPasswordHasher::class),
+    TokenGenerator::class => DI\create(RandomTokenGenerator::class),
+    Clock::class => DI\create(SystemClock::class),
+
+    // Use cases
+    AuthenticateUser::class => DI\autowire(),
+    CreateSession::class => DI\autowire(),
+    Logout::class => DI\autowire(),
+
+    // HTTP layer
+    AuthController::class => DI\autowire(),
+    AuthMiddleware::class => DI\autowire(),
+
+]);
+
+return $builder->build();
diff --git a/backend/config/routes.php b/backend/config/routes.php
new file mode 100644
index 0000000..cd9f359
--- /dev/null
+++ b/backend/config/routes.php
@@ -0,0 +1,17 @@
+<?php
+
+use App\Controllers\AuthController;
+use App\Middleware\AuthMiddleware;
+use Slim\App;
+use Slim\Routing\RouteCollectorProxy;
+
+return function (App $app): void {
+
+    $app->get('/me', [AuthController::class, 'me'])
+        ->add(AuthMiddleware::class);
+
+    $app->post('/login', [AuthController::class, 'login']);
+
+    $app->post('/logout', [AuthController::class, 'logout'])
+        ->add(AuthMiddleware::class);
+};
diff --git a/backend/public/index.php b/backend/public/index.php
new file mode 100644
index 0000000..0209daf
--- /dev/null
+++ b/backend/public/index.php
@@ -0,0 +1,19 @@
+<?php
+
+use DI\Bridge\Slim\Bridge;
+use Slim\App;
+
+(static function (): void {
+    $root = dirname(__DIR__);
+
+    require $root.'/vendor/autoload.php';
+
+    $container = require $root.'/config/container.php';
+
+    /** @var App $app */
+    $app = Bridge::create($container);
+
+    (require $root.'/config/routes.php')($app);
+
+    $app->run();
+})();