diff --git a/Backend/users.php b/Backend/users.php
new file mode 100644
index 0000000..43862ec
--- /dev/null
+++ b/Backend/users.php
@@ -0,0 +1,26 @@
+<?php
+require "db.php";
+$a = $_GET['action'] ?? '';
+$b = body();
+
+if ($a==="register") {
+  $u = trim($b["username"]??"");
+  $p = trim($b["password"]??"");
+  if ($u==""||$p=="") out(false,"username/password required",[],400);
+  $st=db()->prepare("SELECT 1 FROM users WHERE username=?");
+  $st->execute([$u]);
+  if ($st->fetch()) out(false,"exists",[],409);
+  $hash=password_hash($p,PASSWORD_DEFAULT);
+  db()->prepare("INSERT INTO users(username,pass_hash) VALUES(?,?)")->execute([$u,$hash]);
+  out(true,"registered",["user_id"=>db()->lastInsertId()]);
+}
+if ($a==="login") {
+  $u = trim($b["username"]??"");
+  $p = trim($b["password"]??"");
+  $st=db()->prepare("SELECT * FROM users WHERE username=?");
+  $st->execute([$u]);
+  $r=$st->fetch();
+  if(!$r || !password_verify($p,$r["pass_hash"])) out(false,"invalid",[],401);
+  out(true,"ok",["user_id"=>$r["user_id"],"username"=>$u]);
+}
+out(false,"unknown action",[],404);