diff --git a/backend/app/Auth/BcryptPasswordHasher.php b/backend/app/Auth/BcryptPasswordHasher.php
new file mode 100644
index 0000000..0bc4a46
--- /dev/null
+++ b/backend/app/Auth/BcryptPasswordHasher.php
@@ -0,0 +1,16 @@
+<?php
+
+namespace App\Auth;
+
+class BcryptPasswordHasher implements PasswordHasher
+{
+    public function hash(string $password): string
+    {
+        return password_hash($password, PASSWORD_DEFAULT);
+    }
+
+    public function verify(string $password, string $hash): bool
+    {
+        return password_verify($password, $hash);
+    }
+}
diff --git a/backend/app/Auth/Clock.php b/backend/app/Auth/Clock.php
new file mode 100644
index 0000000..b96ad32
--- /dev/null
+++ b/backend/app/Auth/Clock.php
@@ -0,0 +1,10 @@
+<?php
+
+namespace App\Auth;
+
+use DateTimeImmutable;
+
+interface Clock
+{
+    public function now(): DateTimeImmutable;
+}
diff --git a/backend/app/Auth/CreateSessionDto.php b/backend/app/Auth/CreateSessionDto.php
new file mode 100644
index 0000000..2e5e2f7
--- /dev/null
+++ b/backend/app/Auth/CreateSessionDto.php
@@ -0,0 +1,16 @@
+<?php
+
+namespace App\Auth;
+
+use App\User\User;
+use DateTimeImmutable;
+
+class CreateSessionDto
+{
+    public function __construct(
+        public string $token,
+        public User $user,
+        public DateTimeImmutable $createdAt,
+        public DateTimeImmutable $expiresAt,
+    ) {}
+}
diff --git a/backend/app/Auth/EloquentSessionRepository.php b/backend/app/Auth/EloquentSessionRepository.php
new file mode 100644
index 0000000..01cd4be
--- /dev/null
+++ b/backend/app/Auth/EloquentSessionRepository.php
@@ -0,0 +1,60 @@
+<?php
+
+namespace App\Auth;
+
+use App\User\UserRepository;
+use DateTimeImmutable;
+use DateTimeZone;
+
+class EloquentSessionRepository implements SessionRepository
+{
+    public function __construct(private UserRepository $userRepo) {}
+
+    public function create(CreateSessionDto $dto): Session
+    {
+        SessionModel::create([
+            'token' => $dto->token,
+            'user_id' => $dto->user->getId(),
+            'created_at' => $dto->createdAt,
+            'expires_at' => $dto->expiresAt,
+        ]);
+
+        return new Session(
+            token: $dto->token,
+            user: $dto->user,
+            createdAt: $dto->createdAt,
+            expiresAt: $dto->expiresAt,
+        );
+    }
+
+    public function findByToken(string $token): ?Session
+    {
+        $model = SessionModel::find($token);
+        if ($model === null) {
+            return null;
+        }
+        $user = $this->userRepo->find($model->user_id);
+        if ($user === null) {
+            return null;
+        }
+        $utc = new DateTimeZone('UTC');
+
+        return new Session(
+            token: $model->token,
+            user: $user,
+            createdAt: new DateTimeImmutable(
+                $model->created_at->toDateTimeString(),
+                $utc
+            ),
+            expiresAt: new DateTimeImmutable(
+                $model->expires_at->toDateTimeString(),
+                $utc
+            ),
+        );
+    }
+
+    public function deleteByToken(string $token): void
+    {
+        SessionModel::where('token', $token)->delete();
+    }
+}
diff --git a/backend/app/Auth/PasswordHasher.php b/backend/app/Auth/PasswordHasher.php
new file mode 100644
index 0000000..ab57a41
--- /dev/null
+++ b/backend/app/Auth/PasswordHasher.php
@@ -0,0 +1,10 @@
+<?php
+
+namespace App\Auth;
+
+interface PasswordHasher
+{
+    public function hash(string $password): string;
+
+    public function verify(string $password, string $hash): bool;
+}
diff --git a/backend/app/Auth/RandomTokenGenerator.php b/backend/app/Auth/RandomTokenGenerator.php
new file mode 100644
index 0000000..0615bff
--- /dev/null
+++ b/backend/app/Auth/RandomTokenGenerator.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace App\Auth;
+
+class RandomTokenGenerator implements TokenGenerator
+{
+    public function generate(): string
+    {
+        return bin2hex(random_bytes(32));
+    }
+}
diff --git a/backend/app/Auth/Session.php b/backend/app/Auth/Session.php
new file mode 100644
index 0000000..b433114
--- /dev/null
+++ b/backend/app/Auth/Session.php
@@ -0,0 +1,41 @@
+<?php
+
+namespace App\Auth;
+
+use App\User\User;
+use DateTimeImmutable;
+
+class Session
+{
+    public function __construct(
+        private string $token,
+        private User $user,
+        private DateTimeImmutable $createdAt,
+        private DateTimeImmutable $expiresAt,
+    ) {}
+
+    public function getToken(): string
+    {
+        return $this->token;
+    }
+
+    public function getUser(): User
+    {
+        return $this->user;
+    }
+
+    public function getCreatedAt(): DateTimeImmutable
+    {
+        return $this->createdAt;
+    }
+
+    public function getExpiresAt(): DateTimeImmutable
+    {
+        return $this->expiresAt;
+    }
+
+    public function isExpired(DateTimeImmutable $now): bool
+    {
+        return $now >= $this->expiresAt;
+    }
+}
diff --git a/backend/app/Auth/SessionModel.php b/backend/app/Auth/SessionModel.php
new file mode 100644
index 0000000..574a142
--- /dev/null
+++ b/backend/app/Auth/SessionModel.php
@@ -0,0 +1,44 @@
+<?php
+
+namespace App\Auth;
+
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Support\Carbon;
+
+/**
+ * @property string $token
+ * @property int $user_id
+ * @property Carbon $created_at
+ * @property Carbon $expires_at
+ *
+ * @method static Builder<static>|SessionModel newModelQuery()
+ * @method static Builder<static>|SessionModel newQuery()
+ * @method static Builder<static>|SessionModel query()
+ *
+ * @mixin \Eloquent
+ */
+class SessionModel extends Model
+{
+    protected $table = 'sessions';
+
+    protected $primaryKey = 'token';
+
+    public $incrementing = false;
+
+    protected $keyType = 'string';
+
+    public $timestamps = false;
+
+    protected $fillable = [
+        'token',
+        'user_id',
+        'created_at',
+        'expires_at',
+    ];
+
+    protected $casts = [
+        'created_at' => 'datetime',
+        'expires_at' => 'datetime',
+    ];
+}
diff --git a/backend/app/Auth/SessionRepository.php b/backend/app/Auth/SessionRepository.php
new file mode 100644
index 0000000..cabae60
--- /dev/null
+++ b/backend/app/Auth/SessionRepository.php
@@ -0,0 +1,12 @@
+<?php
+
+namespace App\Auth;
+
+interface SessionRepository
+{
+    public function create(CreateSessionDto $dto): Session;
+
+    public function findByToken(string $token): ?Session;
+
+    public function deleteByToken(string $token): void;
+}
diff --git a/backend/app/Auth/SystemClock.php b/backend/app/Auth/SystemClock.php
new file mode 100644
index 0000000..dd77c28
--- /dev/null
+++ b/backend/app/Auth/SystemClock.php
@@ -0,0 +1,14 @@
+<?php
+
+namespace App\Auth;
+
+use DateTimeImmutable;
+use DateTimeZone;
+
+class SystemClock implements Clock
+{
+    public function now(): DateTimeImmutable
+    {
+        return new DateTimeImmutable('now', new DateTimeZone('UTC'));
+    }
+}
diff --git a/backend/app/Auth/TokenGenerator.php b/backend/app/Auth/TokenGenerator.php
new file mode 100644
index 0000000..39b4263
--- /dev/null
+++ b/backend/app/Auth/TokenGenerator.php
@@ -0,0 +1,8 @@
+<?php
+
+namespace App\Auth;
+
+interface TokenGenerator
+{
+    public function generate(): string;
+}
diff --git a/backend/app/Auth/UseCases/AuthenticateUser/AuthenticateUser.php b/backend/app/Auth/UseCases/AuthenticateUser/AuthenticateUser.php
new file mode 100644
index 0000000..7e8c92c
--- /dev/null
+++ b/backend/app/Auth/UseCases/AuthenticateUser/AuthenticateUser.php
@@ -0,0 +1,49 @@
+<?php
+
+namespace App\Auth\UseCases\AuthenticateUser;
+
+use App\Auth\PasswordHasher;
+use App\Exceptions\BadRequestException;
+use App\Exceptions\UnauthorizedException;
+use App\Shared\ValueObject\EmailAddress;
+use App\User\User;
+use App\User\UserRepository;
+
+class AuthenticateUser
+{
+    public function __construct(
+        private UserRepository $userRepo,
+        private PasswordHasher $hasher,
+    ) {}
+
+    /**
+     * @throws BadRequestException
+     * @throws UnauthorizedException
+     */
+    public function execute(AuthenticateUserRequest $request): User
+    {
+        if ($request->email === null || $request->email === '') {
+            throw new BadRequestException('email is required');
+        }
+        if ($request->password === null || $request->password === '') {
+            throw new BadRequestException('password is required');
+        }
+
+        $user = $this->userRepo->findByEmail(
+            new EmailAddress($request->email)
+        );
+        if ($user === null) {
+            throw new UnauthorizedException('invalid credentials');
+        }
+
+        $passwordMatches = $this->hasher->verify(
+            $request->password,
+            $user->getPasswordHash(),
+        );
+        if (! $passwordMatches) {
+            throw new UnauthorizedException('invalid credentials');
+        }
+
+        return $user;
+    }
+}
diff --git a/backend/app/Auth/UseCases/AuthenticateUser/AuthenticateUserRequest.php b/backend/app/Auth/UseCases/AuthenticateUser/AuthenticateUserRequest.php
new file mode 100644
index 0000000..aa8b1df
--- /dev/null
+++ b/backend/app/Auth/UseCases/AuthenticateUser/AuthenticateUserRequest.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace App\Auth\UseCases\AuthenticateUser;
+
+class AuthenticateUserRequest
+{
+    public function __construct(
+        public ?string $email,
+        public ?string $password,
+    ) {}
+}
diff --git a/backend/app/Auth/UseCases/CreateSession/CreateSession.php b/backend/app/Auth/UseCases/CreateSession/CreateSession.php
new file mode 100644
index 0000000..db6403f
--- /dev/null
+++ b/backend/app/Auth/UseCases/CreateSession/CreateSession.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace App\Auth\UseCases\CreateSession;
+
+use App\Auth\Clock;
+use App\Auth\CreateSessionDto;
+use App\Auth\Session;
+use App\Auth\SessionRepository;
+use App\Auth\TokenGenerator;
+use App\User\User;
+
+class CreateSession
+{
+    private const SESSION_LIFETIME = '+7 days';
+
+    public function __construct(
+        private SessionRepository $sessionRepo,
+        private TokenGenerator $tokenGenerator,
+        private Clock $clock,
+    ) {}
+
+    public function execute(User $user): Session
+    {
+        $now = $this->clock->now();
+        $expiresAt = $now->modify(self::SESSION_LIFETIME);
+
+        return $this->sessionRepo->create(new CreateSessionDto(
+            token: $this->tokenGenerator->generate(),
+            user: $user,
+            createdAt: $now,
+            expiresAt: $expiresAt,
+        ));
+    }
+}
diff --git a/backend/app/Auth/UseCases/Logout/Logout.php b/backend/app/Auth/UseCases/Logout/Logout.php
new file mode 100644
index 0000000..31b16de
--- /dev/null
+++ b/backend/app/Auth/UseCases/Logout/Logout.php
@@ -0,0 +1,17 @@
+<?php
+
+namespace App\Auth\UseCases\Logout;
+
+use App\Auth\SessionRepository;
+
+class Logout
+{
+    public function __construct(
+        private SessionRepository $sessionRepo,
+    ) {}
+
+    public function execute(string $token): void
+    {
+        $this->sessionRepo->deleteByToken($token);
+    }
+}
diff --git a/backend/app/Exceptions/BadRequestException.php b/backend/app/Exceptions/BadRequestException.php
new file mode 100644
index 0000000..b900f47
--- /dev/null
+++ b/backend/app/Exceptions/BadRequestException.php
@@ -0,0 +1,7 @@
+<?php
+
+namespace App\Exceptions;
+
+use DomainException;
+
+class BadRequestException extends DomainException {}
diff --git a/backend/app/Exceptions/UnauthorizedException.php b/backend/app/Exceptions/UnauthorizedException.php
new file mode 100644
index 0000000..f5d406e
--- /dev/null
+++ b/backend/app/Exceptions/UnauthorizedException.php
@@ -0,0 +1,7 @@
+<?php
+
+namespace App\Exceptions;
+
+use DomainException;
+
+class UnauthorizedException extends DomainException {}
diff --git a/backend/app/Http/Middleware/AuthMiddleware.php b/backend/app/Http/Middleware/AuthMiddleware.php
new file mode 100644
index 0000000..8e21ece
--- /dev/null
+++ b/backend/app/Http/Middleware/AuthMiddleware.php
@@ -0,0 +1,51 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use App\Auth\Clock;
+use App\Auth\SessionRepository;
+use Closure;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class AuthMiddleware
+{
+    public const COOKIE_NAME = 'auth_token';
+
+    public function __construct(
+        private SessionRepository $sessionRepo,
+        private Clock $clock,
+    ) {}
+
+    /**
+     * @param  Closure(Request): Response  $next
+     */
+    public function handle(Request $request, Closure $next): Response
+    {
+        $token = $request->cookie(self::COOKIE_NAME);
+        if (! is_string($token) || $token === '') {
+            return $this->unauthorized();
+        }
+
+        $session = $this->sessionRepo->findByToken($token);
+        if ($session === null) {
+            return $this->unauthorized();
+        }
+
+        if ($session->isExpired($this->clock->now())) {
+            $this->sessionRepo->deleteByToken($token);
+
+            return $this->unauthorized();
+        }
+
+        $request->attributes->set('user', $session->getUser());
+
+        return $next($request);
+    }
+
+    private function unauthorized(): JsonResponse
+    {
+        return new JsonResponse(['error' => 'unauthenticated'], 401);
+    }
+}
diff --git a/backend/app/Shared/ValueObject/EmailAddress.php b/backend/app/Shared/ValueObject/EmailAddress.php
new file mode 100644
index 0000000..a744918
--- /dev/null
+++ b/backend/app/Shared/ValueObject/EmailAddress.php
@@ -0,0 +1,54 @@
+<?php
+
+namespace App\Shared\ValueObject;
+
+use InvalidArgumentException;
+
+final readonly class EmailAddress
+{
+    private string $normalized;
+
+    private string $domain;
+
+    private const ERROR_MESSAGE = 'Invalid email address:';
+
+    public function __construct(string $email)
+    {
+
+        $trimmed = trim($email);
+
+        if ($trimmed === '' || ! str_contains($trimmed, '@')) {
+            throw new InvalidArgumentException(self::ERROR_MESSAGE." $email");
+        }
+
+        [$local, $domain] = explode('@', $trimmed, 2);
+        $this->domain = mb_strtolower($domain);
+        $normalized = $local.'@'.$this->domain;
+
+        if (filter_var($normalized, FILTER_VALIDATE_EMAIL) === false) {
+            throw new InvalidArgumentException(self::ERROR_MESSAGE." $email");
+        }
+
+        $this->normalized = $normalized;
+    }
+
+    public function value(): string
+    {
+        return $this->normalized;
+    }
+
+    public function equals(self $other): bool
+    {
+        return $this->normalized === $other->normalized;
+    }
+
+    public function getDomain(): string
+    {
+        return $this->domain;
+    }
+
+    public function __toString(): string
+    {
+        return $this->normalized;
+    }
+}
diff --git a/backend/app/User/CreateUserDto.php b/backend/app/User/CreateUserDto.php
new file mode 100644
index 0000000..d10b373
--- /dev/null
+++ b/backend/app/User/CreateUserDto.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace App\User;
+
+use App\Shared\ValueObject\EmailAddress;
+
+class CreateUserDto
+{
+    public function __construct(
+        public EmailAddress $email,
+        public string $passwordHash,
+    ) {}
+}
diff --git a/backend/app/User/EloquentUserRepository.php b/backend/app/User/EloquentUserRepository.php
new file mode 100644
index 0000000..f69ec4a
--- /dev/null
+++ b/backend/app/User/EloquentUserRepository.php
@@ -0,0 +1,52 @@
+<?php
+
+namespace App\User;
+
+use App\Shared\ValueObject\EmailAddress;
+
+class EloquentUserRepository implements UserRepository
+{
+    public function create(CreateUserDto $dto): User
+    {
+        $model = UserModel::create([
+            'email' => $dto->email->value(),
+            'password_hash' => $dto->passwordHash,
+        ]);
+
+        return $this->toDomain($model);
+    }
+
+    public function findByEmail(EmailAddress $email): ?User
+    {
+        $model = UserModel::where('email', $email->value())->first();
+
+        return $model === null ? null : $this->toDomain($model);
+    }
+
+    public function findByEmailDomain(string $domain): array
+    {
+        $models = UserModel::where('email', 'like', '%@'.$domain)->get();
+        $users = [];
+        foreach ($models as $model) {
+            $users[] = $this->toDomain($model);
+        }
+
+        return $users;
+    }
+
+    public function find(int $id): ?User
+    {
+        $model = UserModel::find($id);
+
+        return $model === null ? null : $this->toDomain($model);
+    }
+
+    private function toDomain(UserModel $model): User
+    {
+        return new User(
+            id: $model->id,
+            email: new EmailAddress($model->email),
+            passwordHash: $model->password_hash,
+        );
+    }
+}
diff --git a/backend/app/User/User.php b/backend/app/User/User.php
new file mode 100644
index 0000000..3d8ed63
--- /dev/null
+++ b/backend/app/User/User.php
@@ -0,0 +1,29 @@
+<?php
+
+namespace App\User;
+
+use App\Shared\ValueObject\EmailAddress;
+
+class User
+{
+    public function __construct(
+        private int $id,
+        private EmailAddress $email,
+        private string $passwordHash,
+    ) {}
+
+    public function getId(): int
+    {
+        return $this->id;
+    }
+
+    public function getEmail(): EmailAddress
+    {
+        return $this->email;
+    }
+
+    public function getPasswordHash(): string
+    {
+        return $this->passwordHash;
+    }
+}
diff --git a/backend/app/User/UserModel.php b/backend/app/User/UserModel.php
new file mode 100644
index 0000000..7d8c09d
--- /dev/null
+++ b/backend/app/User/UserModel.php
@@ -0,0 +1,27 @@
+<?php
+
+namespace App\User;
+
+use Illuminate\Database\Eloquent\Model;
+
+/**
+ * @property int $id
+ * @property string $email
+ * @property string $password_hash
+ *
+ * @method static \Illuminate\Database\Eloquent\Builder<static>|UserModel newModelQuery()
+ * @method static \Illuminate\Database\Eloquent\Builder<static>|UserModel newQuery()
+ * @method static \Illuminate\Database\Eloquent\Builder<static>|UserModel query()
+ * @method static \Illuminate\Database\Eloquent\Builder<static>|UserModel whereEmail($value)
+ * @method static \Illuminate\Database\Eloquent\Builder<static>|UserModel whereId($value)
+ *
+ * @mixin \Eloquent
+ */
+class UserModel extends Model
+{
+    protected $table = 'users';
+
+    public $timestamps = false;
+
+    protected $fillable = ['email', 'password_hash'];
+}
diff --git a/backend/app/User/UserRepository.php b/backend/app/User/UserRepository.php
new file mode 100644
index 0000000..3a1f083
--- /dev/null
+++ b/backend/app/User/UserRepository.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace App\User;
+
+use App\Shared\ValueObject\EmailAddress;
+
+interface UserRepository
+{
+    public function create(CreateUserDto $dto): User;
+
+    public function findByEmail(EmailAddress $email): ?User;
+
+    /**
+     * @return User[]
+     */
+    public function findByEmailDomain(string $domain): array;
+
+    public function find(int $id): ?User;
+}
diff --git a/backend/bootstrap/app.php b/backend/bootstrap/app.php
index c183276..cb7c01a 100644
--- a/backend/bootstrap/app.php
+++ b/backend/bootstrap/app.php
@@ -6,7 +6,6 @@ use Illuminate\Foundation\Configuration\Middleware;
 
 return Application::configure(basePath: dirname(__DIR__))
     ->withRouting(
-        web: __DIR__.'/../routes/web.php',
         commands: __DIR__.'/../routes/console.php',
         health: '/up',
     )
diff --git a/backend/tests/Fakes/FakeClock.php b/backend/tests/Fakes/FakeClock.php
new file mode 100644
index 0000000..f32d5a4
--- /dev/null
+++ b/backend/tests/Fakes/FakeClock.php
@@ -0,0 +1,15 @@
+<?php
+
+namespace Tests\Fakes;
+
+use App\Auth\Clock;
+use DateTimeImmutable;
+use DateTimeZone;
+
+class FakeClock implements Clock
+{
+    public function now(): DateTimeImmutable
+    {
+        return new DateTimeImmutable('2026-05-18 12:00:00', new DateTimeZone('UTC'));
+    }
+}
diff --git a/backend/tests/Fakes/FakeHasher.php b/backend/tests/Fakes/FakeHasher.php
new file mode 100644
index 0000000..0770d9d
--- /dev/null
+++ b/backend/tests/Fakes/FakeHasher.php
@@ -0,0 +1,18 @@
+<?php
+
+namespace Tests\Fakes;
+
+use App\Auth\PasswordHasher;
+
+class FakeHasher implements PasswordHasher
+{
+    public function hash(string $password): string
+    {
+        return 'hashed-' . $password;
+    }
+
+    public function verify(string $password, string $hash): bool
+    {
+        return $hash === 'hashed-' . $password;
+    }
+}
diff --git a/backend/tests/Fakes/FakeSessionRepository.php b/backend/tests/Fakes/FakeSessionRepository.php
new file mode 100644
index 0000000..120ccd8
--- /dev/null
+++ b/backend/tests/Fakes/FakeSessionRepository.php
@@ -0,0 +1,47 @@
+<?php
+
+namespace Tests\Fakes;
+
+use App\Auth\CreateSessionDto;
+use App\Auth\Session;
+use App\Auth\SessionRepository;
+use DateTimeImmutable;
+
+class FakeSessionRepository implements SessionRepository
+{
+    private array $sessionsByToken = [];
+
+    public function create(CreateSessionDto $dto): Session
+    {
+        $session = new Session(
+            $dto->token,
+            $dto->user,
+            $dto->createdAt,
+            $dto->expiresAt
+        );
+        $this->sessionsByToken[$dto->token] = $session;
+
+        return $session;
+    }
+
+    public function findByToken(string $token): ?Session
+    {
+        if (! isset($this->sessionsByToken[$token])) {
+            return null;
+        }
+
+        $stored = $this->sessionsByToken[$token];
+
+        return new Session(
+            $stored->getToken(),
+            $stored->getUser(),
+            $stored->getCreatedAt(),
+            $stored->getExpiresAt()
+        );
+    }
+
+    public function deleteByToken(string $token): void
+    {
+        unset($this->sessionsByToken[$token]);
+    }
+}
diff --git a/backend/tests/Fakes/FakeTokenGenerator.php b/backend/tests/Fakes/FakeTokenGenerator.php
new file mode 100644
index 0000000..dcb8819
--- /dev/null
+++ b/backend/tests/Fakes/FakeTokenGenerator.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace Tests\Fakes;
+
+use App\Auth\TokenGenerator;
+
+class FakeTokenGenerator implements TokenGenerator
+{
+    public function generate(): string
+    {
+        return 'fake-token-123';
+    }
+}
diff --git a/backend/tests/Fakes/FakeUserRepository.php b/backend/tests/Fakes/FakeUserRepository.php
new file mode 100644
index 0000000..dc47606
--- /dev/null
+++ b/backend/tests/Fakes/FakeUserRepository.php
@@ -0,0 +1,70 @@
+<?php
+
+namespace Tests\Fakes;
+
+use App\Shared\ValueObject\EmailAddress;
+use App\User\CreateUserDto;
+use App\User\User;
+use App\User\UserRepository;
+
+class FakeUserRepository implements UserRepository
+{
+    private array $usersById = [];
+    private array $usersByEmail = [];
+
+    public function create(CreateUserDto $dto): User
+    {
+        $id = count($this->usersById) + 1;
+        $user = new User($id, $dto->email, $dto->passwordHash);
+        $this->usersById[$id] = $user;
+        $this->usersByEmail[$dto->email->value()] = $user;
+
+        return $user;
+    }
+
+    public function findByEmail(EmailAddress $email): ?User
+    {
+        if (! isset($this->usersByEmail[$email->value()])) {
+            return null;
+        }
+
+        $stored = $this->usersByEmail[$email->value()];
+
+        return new User(
+            $stored->getId(),
+            $stored->getEmail(),
+            $stored->getPasswordHash()
+        );
+    }
+
+    public function findByEmailDomain(string $domain): array
+    {
+        $result = [];
+        foreach ($this->usersByEmail as $email => $stored) {
+            if (str_ends_with($email, '@' . $domain)) {
+                $result[] = new User(
+                    $stored->getId(),
+                    $stored->getEmail(),
+                    $stored->getPasswordHash()
+                );
+            }
+        }
+
+        return $result;
+    }
+
+    public function find(int $id): ?User
+    {
+        if (! isset($this->usersById[$id])) {
+            return null;
+        }
+
+        $stored = $this->usersById[$id];
+
+        return new User(
+            $stored->getId(),
+            $stored->getEmail(),
+            $stored->getPasswordHash()
+        );
+    }
+}
diff --git a/backend/tests/Unit/Auth/UseCases/AuthenticateUserTest.php b/backend/tests/Unit/Auth/UseCases/AuthenticateUserTest.php
new file mode 100644
index 0000000..8a96f41
--- /dev/null
+++ b/backend/tests/Unit/Auth/UseCases/AuthenticateUserTest.php
@@ -0,0 +1,99 @@
+<?php
+
+namespace Tests\Unit\Auth\UseCases;
+
+use App\Auth\PasswordHasher;
+use App\Auth\UseCases\AuthenticateUser\AuthenticateUser;
+use App\Auth\UseCases\AuthenticateUser\AuthenticateUserRequest;
+use App\Exceptions\BadRequestException;
+use App\Exceptions\UnauthorizedException;
+use App\Shared\ValueObject\EmailAddress;
+use App\User\CreateUserDto;
+use App\User\User;
+use PHPUnit\Framework\TestCase;
+use Tests\Fakes\FakeHasher;
+use Tests\Fakes\FakeUserRepository;
+
+class AuthenticateUserTest extends TestCase
+{
+    private FakeUserRepository $userRepo;
+    private PasswordHasher $hasher;
+    private AuthenticateUser $authenticateUser;
+
+    protected function setUp(): void
+    {
+        $this->userRepo = new FakeUserRepository();
+        $this->hasher = new FakeHasher();
+
+        $this->authenticateUser = new AuthenticateUser($this->userRepo, $this->hasher);
+    }
+
+    public function testAuthenticatesValidUser(): void
+    {
+        $email = new EmailAddress('user@example.com');
+        $this->userRepo->create(new CreateUserDto($email, 'hashed-secret'));
+
+        $request = new AuthenticateUserRequest('user@example.com', 'secret');
+        $user = $this->authenticateUser->execute($request);
+
+        $this->assertInstanceOf(User::class, $user);
+        $this->assertSame('user@example.com', $user->getEmail()->value());
+    }
+
+    public function testThrowsWhenEmailMissing(): void
+    {
+        $this->expectException(BadRequestException::class);
+        $this->expectExceptionMessage('email is required');
+
+        $request = new AuthenticateUserRequest(null, 'secret');
+        $this->authenticateUser->execute($request);
+    }
+
+    public function testThrowsWhenPasswordMissing(): void
+    {
+        $this->expectException(BadRequestException::class);
+        $this->expectExceptionMessage('password is required');
+
+        $request = new AuthenticateUserRequest('user@example.com', null);
+        $this->authenticateUser->execute($request);
+    }
+
+    public function testThrowsWhenEmailEmpty(): void
+    {
+        $this->expectException(BadRequestException::class);
+        $this->expectExceptionMessage('email is required');
+
+        $request = new AuthenticateUserRequest('', 'secret');
+        $this->authenticateUser->execute($request);
+    }
+
+    public function testThrowsWhenPasswordEmpty(): void
+    {
+        $this->expectException(BadRequestException::class);
+        $this->expectExceptionMessage('password is required');
+
+        $request = new AuthenticateUserRequest('user@example.com', '');
+        $this->authenticateUser->execute($request);
+    }
+
+    public function testThrowsWhenUserNotFound(): void
+    {
+        $this->expectException(UnauthorizedException::class);
+        $this->expectExceptionMessage('invalid credentials');
+
+        $request = new AuthenticateUserRequest('missing@example.com', 'secret');
+        $this->authenticateUser->execute($request);
+    }
+
+    public function testThrowsWhenPasswordIncorrect(): void
+    {
+        $email = new EmailAddress('user@example.com');
+        $this->userRepo->create(new CreateUserDto($email, 'hashed-secret'));
+
+        $this->expectException(UnauthorizedException::class);
+        $this->expectExceptionMessage('invalid credentials');
+
+        $request = new AuthenticateUserRequest('user@example.com', 'wrong');
+        $this->authenticateUser->execute($request);
+    }
+}
diff --git a/backend/tests/Unit/Auth/UseCases/CreateSessionTest.php b/backend/tests/Unit/Auth/UseCases/CreateSessionTest.php
new file mode 100644
index 0000000..d6368f2
--- /dev/null
+++ b/backend/tests/Unit/Auth/UseCases/CreateSessionTest.php
@@ -0,0 +1,47 @@
+<?php
+
+namespace Tests\Unit\Auth\UseCases;
+
+use App\Auth\Clock;
+use App\Auth\UseCases\CreateSession\CreateSession;
+use App\Shared\ValueObject\EmailAddress;
+use App\User\User;
+use PHPUnit\Framework\TestCase;
+use Tests\Fakes\FakeClock;
+use Tests\Fakes\FakeSessionRepository;
+use Tests\Fakes\FakeTokenGenerator;
+
+class CreateSessionTest extends TestCase
+{
+    private FakeSessionRepository $sessionRepo;
+    private FakeTokenGenerator $tokenGenerator;
+    private Clock $clock;
+    private CreateSession $createSession;
+
+    protected function setUp(): void
+    {
+        $this->sessionRepo = new FakeSessionRepository();
+        $this->tokenGenerator = new FakeTokenGenerator();
+        $this->clock = new FakeClock();
+
+        $this->createSession = new CreateSession($this->sessionRepo, $this->tokenGenerator, $this->clock);
+    }
+
+    public function testCreatesSessionForUser(): void
+    {
+        $email = new EmailAddress('user@example.com');
+        $user = new User(1, $email, 'hashed-password');
+
+        $session = $this->createSession->execute($user);
+
+        $this->assertSame('fake-token-123', $session->getToken());
+        $this->assertSame($user, $session->getUser());
+        $this->assertFalse($session->isExpired($this->clock->now()));
+        $this->assertSame('2026-05-18 12:00:00', $session->getCreatedAt()->format('Y-m-d H:i:s'));
+        $this->assertSame('2026-05-25 12:00:00', $session->getExpiresAt()->format('Y-m-d H:i:s'));
+
+        $stored = $this->sessionRepo->findByToken($session->getToken());
+        $this->assertNotNull($stored);
+        $this->assertSame('fake-token-123', $stored->getToken());
+    }
+}
diff --git a/backend/tests/Unit/Auth/UseCases/LogoutTest.php b/backend/tests/Unit/Auth/UseCases/LogoutTest.php
new file mode 100644
index 0000000..2b28630
--- /dev/null
+++ b/backend/tests/Unit/Auth/UseCases/LogoutTest.php
@@ -0,0 +1,46 @@
+<?php
+
+namespace Tests\Unit\Auth\UseCases;
+
+use App\Auth\CreateSessionDto;
+use App\Auth\UseCases\Logout\Logout;
+use App\Shared\ValueObject\EmailAddress;
+use App\User\User;
+use PHPUnit\Framework\TestCase;
+use Tests\Fakes\FakeSessionRepository;
+
+class LogoutTest extends TestCase
+{
+    private FakeSessionRepository $sessionRepo;
+    private Logout $logout;
+
+    protected function setUp(): void
+    {
+        $this->sessionRepo = new FakeSessionRepository();
+        $this->logout = new Logout($this->sessionRepo);
+    }
+
+    public function testDeletesSessionByToken(): void
+    {
+        $email = new EmailAddress('user@example.com');
+        $user = new User(1, $email, 'hashed-password');
+
+        $session = $this->sessionRepo->create(new CreateSessionDto(
+            'session-token',
+            $user,
+            new \DateTimeImmutable(),
+            new \DateTimeImmutable('+1 hour')
+        ));
+
+        $this->logout->execute('session-token');
+
+        $this->assertNull($this->sessionRepo->findByToken('session-token'));
+    }
+
+    public function testDeletesMissingTokenIsIdempotent(): void
+    {
+        $this->logout->execute('nonexistent-token');
+
+        $this->assertNull($this->sessionRepo->findByToken('nonexistent-token'));
+    }
+}
diff --git a/backend/tests/Unit/User/UserTest.php b/backend/tests/Unit/User/UserTest.php
new file mode 100644
index 0000000..89734e9
--- /dev/null
+++ b/backend/tests/Unit/User/UserTest.php
@@ -0,0 +1,20 @@
+<?php
+
+namespace Tests\Unit\User;
+
+use App\Shared\ValueObject\EmailAddress;
+use App\User\User;
+use PHPUnit\Framework\TestCase;
+
+class UserTest extends TestCase
+{
+    public function testCreatesUserWithPasswordHash(): void
+    {
+        $email = new EmailAddress('test@example.com');
+        $user = new User(1, $email, 'hashed-password');
+
+        $this->assertSame(1, $user->getId());
+        $this->assertSame($email, $user->getEmail());
+        $this->assertSame('hashed-password', $user->getPasswordHash());
+    }
+}
diff --git a/process-compose.yml b/process-compose.yml
index 7f71fe0..4fcfb4e 100644
--- a/process-compose.yml
+++ b/process-compose.yml
@@ -12,8 +12,8 @@ processes:
       period_seconds: 2
 
   backend:
-    command: bash backend/bin/serve
-    working_dir: .
+    command: php artisan serve --host=127.0.0.1 --port=8000
+    working_dir: backend
     depends_on:
       postgres:
         condition: process_healthy