diff --git a/backend/api/index.php b/backend/api/index.php
index 9137913..b2f4099 100644
--- a/backend/api/index.php
+++ b/backend/api/index.php
@@ -1,4 +1,5 @@
 <?php
+session_start();
 header('Content-Type: application/json');
 header('Access-Control-Allow-Origin: *');
 header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
@@ -12,18 +13,33 @@ if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
 require_once __DIR__ . '/../config/database.php';
 
 $db = getDbConnection();
-$requestUri = $_SERVER['REQUEST_URI'];
-$method = $_SERVER['REQUEST_METHOD'];
 
-$path = parse_url($requestUri, PHP_URL_PATH);
+// Auth check (except for session check)
+$path = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
 $path = str_replace('/api/', '', $path);
 $segments = explode('/', trim($path, '/'));
-
 $resource = $segments[0] ?? '';
+
+if ($resource !== 'session') {
+    $loggedin = isset($_SESSION['neptune_loggedin']) && $_SESSION['neptune_loggedin'] === true;
+    if (!$loggedin) {
+        http_response_code(401);
+        echo json_encode(['error' => 'Unauthorized']);
+        exit;
+    }
+}
+
+$method = $_SERVER['REQUEST_METHOD'];
 $id = $segments[1] ?? null;
 
 try {
     switch ($resource) {
+        case 'session':
+            handleSession($method, $db);
+            break;
+        case 'settings':
+            handleSettings($method, $db);
+            break;
         case 'teams':
             handleTeams($method, $id, $db);
             break;
@@ -51,6 +67,110 @@ try {
     echo json_encode(['error' => $e->getMessage()]);
 }
 
+function handleSession($method, $db) {
+    $loggedin = isset($_SESSION['neptune_loggedin']) && $_SESSION['neptune_loggedin'] === true;
+    if ($loggedin) {
+        $role = $_SESSION['neptune_role'] ?? 'user';
+        $stmt = $db->prepare("SELECT COUNT(*) as c FROM neptune_users WHERE role='admin'");
+        $stmt->execute();
+        $adminCount = $stmt->fetch()['c'];
+        echo json_encode([
+            'loggedin' => true,
+            'username' => $_SESSION['neptune_username'] ?? 'Unknown',
+            'role' => $role,
+            'admin_count' => (int)$adminCount
+        ]);
+    } else {
+        echo json_encode(['loggedin' => false]);
+    }
+}
+
+function handleSettings($method, $db) {
+    $role = $_SESSION['neptune_role'] ?? 'user';
+    if ($method === 'GET') {
+        if ($role !== 'admin') {
+            http_response_code(403);
+            echo json_encode(['error' => 'Admins only']);
+            return;
+        }
+        $users = $db->query("SELECT id, username, user_token, email, role, created_at FROM neptune_users ORDER BY created_at ASC")->fetchAll();
+        echo json_encode($users);
+    } elseif ($method === 'POST') {
+        if ($role !== 'admin') {
+            http_response_code(403);
+            echo json_encode(['error' => 'Admins only']);
+            return;
+        }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $user_token = $data['user_token'] ?? '';
+        if (!$user_token) {
+            http_response_code(400);
+            echo json_encode(['error' => 'user_token required']);
+            return;
+        }
+        // Validate the token with Jakach Auth
+        $check_url = "https://auth.jakach.ch/api/auth/check_auth_key.php?auth_token=" . urlencode($user_token);
+        $ch = curl_init();
+        curl_setopt($ch, CURLOPT_URL, $check_url);
+        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+        curl_setopt($ch, CURLOPT_TIMEOUT, 10);
+        $response = curl_exec($ch);
+        $http = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+        curl_close($ch);
+
+        if ($http !== 200 || !$response) {
+            http_response_code(400);
+            echo json_encode(['error' => 'Failed to validate token']);
+            return;
+        }
+        $info = json_decode($response, true);
+        if (!isset($info['status']) || $info['status'] !== 'success') {
+            http_response_code(400);
+            echo json_encode(['error' => 'Invalid token']);
+            return;
+        }
+
+        $stmt = $db->prepare("SELECT COUNT(*) as c FROM neptune_users WHERE user_token = ?");
+        $stmt->execute([$user_token]);
+        if ($stmt->fetch()['c'] > 0) {
+            http_response_code(400);
+            echo json_encode(['error' => 'User already exists']);
+            return;
+        }
+
+        $stmt = $db->prepare("INSERT INTO neptune_users (user_token, username, email, role) VALUES (?, ?, ?, 'user')");
+        $stmt->execute([$user_token, $info['username'], $info['email'] ?? '']);
+        echo json_encode(['status' => 'success', 'msg' => 'User added']);
+    } elseif ($method === 'DELETE') {
+        if ($role !== 'admin') {
+            http_response_code(403);
+            echo json_encode(['error' => 'Admins only']);
+            return;
+        }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $id = $data['id'] ?? null;
+        if (!$id) {
+            http_response_code(400);
+            echo json_encode(['error' => 'id required']);
+            return;
+        }
+        // Prevent deleting the last admin
+        $stmt = $db->prepare("SELECT role FROM neptune_users WHERE id = ?");
+        $stmt->execute([$id]);
+        $user = $stmt->fetch();
+        if ($user && $user['role'] === 'admin') {
+            $adminCount = $db->query("SELECT COUNT(*) as c FROM neptune_users WHERE role='admin'")->fetch()['c'];
+            if ($adminCount <= 1) {
+                http_response_code(400);
+                echo json_encode(['error' => 'Cannot delete the last admin']);
+                return;
+            }
+        }
+        $db->prepare("DELETE FROM neptune_users WHERE id = ?")->execute([$id]);
+        echo json_encode(['status' => 'success']);
+    }
+}
+
 function handleTeams($method, $id, $db) {
     switch ($method) {
         case 'GET':
diff --git a/backend/config/database.php b/backend/config/database.php
index 608986d..2dd82ed 100644
--- a/backend/config/database.php
+++ b/backend/config/database.php
@@ -30,4 +30,12 @@ function migrate($db) {
         z_index INT DEFAULT 0,
         created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
     )");
+    $db->exec("CREATE TABLE IF NOT EXISTS neptune_users (
+        id INT AUTO_INCREMENT PRIMARY KEY,
+        user_token VARCHAR(255) NOT NULL UNIQUE,
+        username VARCHAR(255) NOT NULL,
+        email VARCHAR(255) DEFAULT '',
+        role ENUM('admin','user') DEFAULT 'user',
+        created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
+    )");
 }
\ No newline at end of file
diff --git a/backend/login.php b/backend/login.php
new file mode 100644
index 0000000..8e7db2d
--- /dev/null
+++ b/backend/login.php
@@ -0,0 +1,107 @@
+<?php
+session_start();
+
+// If already logged in, redirect
+if (isset($_SESSION['neptune_loggedin']) && $_SESSION['neptune_loggedin'] === true) {
+    header('Location: /');
+    exit;
+}
+
+$error = '';
+$success = '';
+
+// Check for auth callback from Jakach Auth
+if (isset($_GET['auth'])) {
+    $auth_token = $_GET['auth'];
+    $check_url = "https://auth.jakach.ch/api/auth/check_auth_key.php?auth_token=" . urlencode($auth_token);
+
+    $ch = curl_init();
+    curl_setopt($ch, CURLOPT_URL, $check_url);
+    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+    curl_setopt($ch, CURLOPT_TIMEOUT, 10);
+    $response = curl_exec($ch);
+    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+    curl_close($ch);
+
+    if ($http_code !== 200 || !$response) {
+        $error = 'Failed to contact authentication server.';
+    } else {
+        $data = json_decode($response, true);
+        if (isset($data['status']) && $data['status'] === 'success') {
+            $user_token = $data['user_token'];
+            $username = $data['username'];
+            $email = $data['email'] ?? '';
+
+            require_once __DIR__ . '/config/database.php';
+            $db = getDbConnection();
+
+            // Check if user exists in our db
+            $stmt = $db->prepare("SELECT * FROM neptune_users WHERE user_token = ?");
+            $stmt->execute([$user_token]);
+            $user = $stmt->fetch();
+
+            if ($user) {
+                $_SESSION['neptune_loggedin'] = true;
+                $_SESSION['neptune_user_token'] = $user['user_token'];
+                $_SESSION['neptune_username'] = $user['username'];
+                $_SESSION['neptune_role'] = $user['role'];
+                header('Location: /');
+                exit;
+            } else {
+                // First user becomes admin
+                $count = $db->query("SELECT COUNT(*) as c FROM neptune_users")->fetch()['c'];
+                $role = ($count == 0) ? 'admin' : 'user';
+
+                $stmt = $db->prepare("INSERT INTO neptune_users (user_token, username, email, role) VALUES (?, ?, ?, ?)");
+                $stmt->execute([$user_token, $username, $email, $role]);
+
+                $_SESSION['neptune_loggedin'] = true;
+                $_SESSION['neptune_user_token'] = $user_token;
+                $_SESSION['neptune_username'] = $username;
+                $_SESSION['neptune_role'] = $role;
+                header('Location: /');
+                exit;
+            }
+        } else {
+            $error = 'Authentication failed: ' . ($data['msg'] ?? 'unknown error');
+        }
+    }
+}
+?>
+<!DOCTYPE html>
+<html lang="en" data-bs-theme="dark">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>Neptune - Login</title>
+    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.2/dist/css/bootstrap.min.css" rel="stylesheet">
+    <link href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@6.5.1/css/all.min.css" rel="stylesheet">
+    <style>
+        body { background: #0a0e1a; display: flex; align-items: center; justify-content: center; min-height: 100vh; }
+        .login-card { background: #131a2b; border: 1px solid #1e2a45; border-radius: .75rem; padding: 2.5rem; max-width: 420px; width: 100%; }
+        .login-card h1 { font-size: 1.5rem; }
+        .login-card p { color: #64748b; font-size: .9rem; }
+        .btn-jakach { background: #3b82f6; color: #fff; }
+        .btn-jakach:hover { background: #2563eb; color: #fff; }
+    </style>
+</head>
+<body>
+    <div class="login-card text-center">
+        <i class="fas fa-globe text-primary mb-3" style="font-size: 2.5rem;"></i>
+        <h1 class="fw-bold mb-1">Neptune</h1>
+        <p class="mb-4">Cybersecurity Incident Journal</p>
+
+        <?php if ($error): ?>
+            <div class="alert alert-danger py-2 small"><?= htmlspecialchars($error) ?></div>
+        <?php endif; ?>
+        <?php if ($success): ?>
+            <div class="alert alert-success py-2 small"><?= htmlspecialchars($success) ?></div>
+        <?php endif; ?>
+
+        <a href="https://auth.jakach.ch/?send_to=<?= urlencode('http://' . ($_SERVER['HTTP_HOST'] ?? 'localhost:8080') . '/login.php') ?>" class="btn btn-jakach w-100 py-2 mb-2">
+            <i class="fas fa-right-to-bracket me-2"></i>Log in with Jakach Auth
+        </a>
+        <small class="text-secondary">First user automatically becomes admin</small>
+    </div>
+</body>
+</html>
\ No newline at end of file
diff --git a/backend/logout.php b/backend/logout.php
new file mode 100644
index 0000000..0b7054a
--- /dev/null
+++ b/backend/logout.php
@@ -0,0 +1,6 @@
+<?php
+session_start();
+$_SESSION = array();
+session_destroy();
+header('Location: /');
+exit;
\ No newline at end of file
diff --git a/docker/nginx.conf b/docker/nginx.conf
index 09c4517..b9e4d84 100644
--- a/docker/nginx.conf
+++ b/docker/nginx.conf
@@ -14,7 +14,25 @@ server {
         include fastcgi_params;
     }
 
+    location /login.php {
+        fastcgi_pass php:9000;
+        fastcgi_param SCRIPT_FILENAME /var/www/backend/login.php;
+        fastcgi_param REQUEST_URI $request_uri;
+        fastcgi_param QUERY_STRING $query_string;
+        fastcgi_param REQUEST_METHOD $request_method;
+        include fastcgi_params;
+    }
+
+    location /logout.php {
+        fastcgi_pass php:9000;
+        fastcgi_param SCRIPT_FILENAME /var/www/backend/logout.php;
+        fastcgi_param REQUEST_URI $request_uri;
+        fastcgi_param QUERY_STRING $query_string;
+        fastcgi_param REQUEST_METHOD $request_method;
+        include fastcgi_params;
+    }
+
     location / {
-        try_files $uri $uri/ =404;
+        try_files $uri $uri/ /index.html;
     }
 }
\ No newline at end of file
diff --git a/frontend/assets/js/app.js b/frontend/assets/js/app.js
index 79fb7c7..697502d 100644
--- a/frontend/assets/js/app.js
+++ b/frontend/assets/js/app.js
@@ -30,22 +30,25 @@ let editingNodeId = null;
 let editingShapeId = null;
 
 document.addEventListener('DOMContentLoaded', () => {
-    canvas = document.getElementById('networkCanvas');
-    ctx = canvas.getContext('2d');
-    resizeCanvas();
+    // Check auth first
+    checkSession().then(() => {
+        canvas = document.getElementById('networkCanvas');
+        ctx = canvas.getContext('2d');
+        resizeCanvas();
 
-    loadTeams().then(() => loadEvents());
-    loadNetworkData();
+        loadTeams().then(() => loadEvents());
+        loadNetworkData();
 
-    document.getElementById('saveEvent').addEventListener('click', saveEvent);
-    document.getElementById('saveNode').addEventListener('click', saveNode);
-    document.getElementById('saveLink').addEventListener('click', saveLink);
-    document.getElementById('saveShape').addEventListener('click', saveShape);
-    document.getElementById('teamFilter').addEventListener('change', renderTimeline);
-    document.getElementById('searchEvents').addEventListener('input', renderTimeline);
-    document.getElementById('shapeOpacity').addEventListener('input', (e) => {
-        document.getElementById('opacityVal').textContent = parseFloat(e.target.value).toFixed(2);
-    });
+        document.getElementById('saveEvent').addEventListener('click', saveEvent);
+        document.getElementById('saveNode').addEventListener('click', saveNode);
+        document.getElementById('saveLink').addEventListener('click', saveLink);
+        document.getElementById('saveShape').addEventListener('click', saveShape);
+        document.getElementById('addUserBtn').addEventListener('click', addUser);
+        document.getElementById('teamFilter').addEventListener('change', renderTimeline);
+        document.getElementById('searchEvents').addEventListener('input', renderTimeline);
+        document.getElementById('shapeOpacity').addEventListener('input', (e) => {
+            document.getElementById('opacityVal').textContent = parseFloat(e.target.value).toFixed(2);
+        });
 
     canvas.addEventListener('mousedown', onMouseDown);
     canvas.addEventListener('mousemove', onMouseMove);
@@ -882,6 +885,76 @@ function esc(s) {
     return div.innerHTML;
 }
 
+// ==================== AUTH / SESSION ====================
+let currentUser = null;
+let currentRole = null;
+
+async function checkSession() {
+    try {
+        const res = await fetch('/api/session');
+        const data = await res.json();
+        if (data.loggedin) {
+            currentUser = data.username;
+            currentRole = data.role;
+            document.getElementById('userDisplay').textContent = data.username;
+            if (data.role === 'admin' || data.admin_count === 0) {
+                document.getElementById('settingsBtn').classList.remove('d-none');
+            }
+        } else {
+            window.location.href = '/login.php';
+        }
+    } catch (e) {
+        window.location.href = '/login.php';
+    }
+}
+
+async function loadUsers() {
+    const list = document.getElementById('userList');
+    try {
+        const users = await apiFetch('settings');
+        list.innerHTML = users.map(u => `
+            <div class="d-flex justify-content-between align-items-center py-1 border-bottom border-secondary">
+                <div>
+                    <strong class="small">${esc(u.username)}</strong>
+                    <span class="badge bg-${u.role === 'admin' ? 'warning' : 'secondary'} ms-1" style="font-size:.6rem;">${u.role}</span>
+                    <div class="text-secondary" style="font-size:.7rem;">${u.user_token.substring(0, 16)}...</div>
+                </div>
+                ${u.role !== 'admin' ? `<button class="btn btn-outline-danger btn-sm py-0 px-1" onclick="removeUser(${u.id})"><i class="fas fa-times" style="font-size:.7rem;"></i></button>` : ''}
+            </div>
+        `).join('');
+    } catch (e) {
+        list.innerHTML = '<div class="text-danger small">Failed to load users</div>';
+    }
+}
+
+async function addUser() {
+    const token = document.getElementById('addUserToken').value.trim();
+    if (!token) return;
+    try {
+        const res = await apiFetch('settings', { method: 'POST', body: JSON.stringify({ user_token: token }) });
+        if (res.status === 'success') {
+            document.getElementById('addUserToken').value = '';
+            loadUsers();
+        } else {
+            alert(res.error || 'Failed to add user');
+        }
+    } catch (e) {
+        alert('Failed to add user');
+    }
+}
+
+async function removeUser(id) {
+    if (!confirm('Remove this user?')) return;
+    try {
+        await apiFetch('settings', { method: 'DELETE', body: JSON.stringify({ id }) });
+        loadUsers();
+    } catch (e) {
+        alert('Failed to remove user');
+    }
+}
+
+document.getElementById('settingsModal').addEventListener('show.bs.modal', loadUsers);
+
 if (!CanvasRenderingContext2D.prototype.roundRect) {
     CanvasRenderingContext2D.prototype.roundRect = function(x, y, w, h, r) {
         if (r > w / 2) r = w / 2;
diff --git a/frontend/index.html b/frontend/index.html
index f486692..a9cb29b 100644
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -33,6 +33,11 @@
                     </button>
                 </li>
             </ul>
+            <div class="ms-auto d-flex align-items-center">
+                <span class="text-secondary small me-2" id="userDisplay"></span>
+                <button class="btn btn-outline-secondary btn-sm me-2 d-none" id="settingsBtn" data-bs-toggle="modal" data-bs-target="#settingsModal" title="Settings"><i class="fas fa-cog"></i></button>
+                <a href="/logout.php" class="btn btn-outline-secondary btn-sm"><i class="fas fa-sign-out-alt"></i></a>
+            </div>
         </div>
     </div>
 </nav>
@@ -329,6 +334,31 @@
     </div>
 </div>
 
+<!-- ==================== SETTINGS MODAL ==================== -->
+<div class="modal fade" id="settingsModal" tabindex="-1">
+    <div class="modal-dialog">
+        <div class="modal-content bg-dark">
+            <div class="modal-header border-secondary">
+                <h5 class="modal-title"><i class="fas fa-cog text-primary me-1"></i> Settings</h5>
+                <button type="button" class="btn-close" data-bs-dismiss="modal"></button>
+            </div>
+            <div class="modal-body">
+                <h6 class="text-secondary mb-2"><i class="fas fa-users me-1"></i> Authorized Users</h6>
+                <div id="userList" class="mb-3">
+                    <div class="text-secondary small">Loading...</div>
+                </div>
+                <hr class="border-secondary">
+                <h6 class="text-secondary mb-2"><i class="fas fa-user-plus me-1"></i> Add User by Token</h6>
+                <div class="input-group input-group-sm mb-2">
+                    <input type="text" class="form-control" id="addUserToken" placeholder="Paste user token here">
+                    <button class="btn btn-primary" id="addUserBtn"><i class="fas fa-plus"></i> Add</button>
+                </div>
+                <small class="text-secondary">Get the user token from the user's Jakach Auth profile or ask them to log in once.</small>
+            </div>
+        </div>
+    </div>
+</div>
+
 <!-- ==================== CONFIRM MODAL ==================== -->
 <div class="modal fade" id="confirmModal" tabindex="-1">
     <div class="modal-dialog modal-sm modal-dialog-centered">