diff --git a/api/Program.cs b/api/Program.cs
index efa938c..a05ead5 100644
--- a/api/Program.cs
+++ b/api/Program.cs
@@ -1,16 +1,41 @@
 
 using Microsoft.AspNetCore.HttpOverrides;
 using Microsoft.EntityFrameworkCore;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.IdentityModel.Tokens;
+using System.Text;
 
 using agologumApi.Services;
 
 var builder = WebApplication.CreateBuilder(args);
 
+var key = builder.Configuration["Jwt:Key"];
+if(key == null) return;
+
 builder.Services.AddDbContext<AppDbContext>(options => 
     options.UseNpgsql(builder.Configuration.GetConnectionString("DefaultConnection")));
 
 builder.Services.AddControllers();
+
+// services
 builder.Services.AddScoped<UserService>();
+builder.Services.AddScoped<JwtService>();
+
+// configuration for jwt authentication
+builder.Services.AddAuthentication(options => {
+    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
+    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
+}).AddJwtBearer(options => {
+    options.TokenValidationParameters = new TokenValidationParameters {
+        ValidateIssuer = false,
+        ValidateAudience = false,
+        ValidateLifetime = true,
+        ValidateIssuerSigningKey = true,
+        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key))
+    };
+});
+
+builder.Services.AddAuthorization();
 
 // configuration for behind my nginx proxy
 builder.Services.Configure<ForwardedHeadersOptions>(options =>
@@ -41,10 +66,17 @@ builder.Services.AddCors(options =>
 builder.Services.AddEndpointsApiExplorer();
 builder.Services.AddSwaggerGen();
 
+// https://www.reddit.com/r/dotnet/comments/1h7vzbs/how_do_you_guys_handle_authorization_on_a_web_api/
+// add authorization here
+// controllers will have endpoints based on authorization
+// frontend is a different story
+
 var app = builder.Build();
 
 app.UseForwardedHeaders();
 app.UseCors("dev");
+app.UseAuthentication();
+app.UseAuthorization();
 
 // Configure the HTTP request pipeline.
 if (app.Environment.IsEnvironment("Development")) {
diff --git a/api/agologum-api.csproj b/api/agologum-api.csproj
index 77eaeef..82bd216 100644
--- a/api/agologum-api.csproj
+++ b/api/agologum-api.csproj
@@ -8,6 +8,8 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="BCrypt.Net-Next" Version="4.1.0" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.5" />
     <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.3" />
     <PackageReference Include="Microsoft.EntityFrameworkCore" Version="10.0.5" />
     <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="10.0.5">
diff --git a/api/src/Controllers/UsersController.cs b/api/src/Controllers/UsersController.cs
index 4178d19..7962381 100644
--- a/api/src/Controllers/UsersController.cs
+++ b/api/src/Controllers/UsersController.cs
@@ -1,28 +1,30 @@
 
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Authorization;
+
 using agologumApi.Models;
 using agologumApi.Services;
 
 [ApiController]
 [Route("api/[controller]")]
-public class UsersController : ControllerBase
-{
+public class UsersController : ControllerBase {
+
     private readonly UserService service_;
 
-    public UsersController(UserService service)
-    {
+    public UsersController(UserService service) {
         service_ = service;
     }
 
+    [AllowAnonymous] // accessible if not authorized
     [HttpGet]
-    public async Task<ActionResult<List<User>>> getUsers()
-    {
+    public async Task<ActionResult<List<User>>> getUsers() {
         return Ok(await service_.GetAll());
     }
 
+    [AllowAnonymous]
     [HttpGet("{id:int}")]
-    public async Task<ActionResult<User>> getUser(int id)
-    {
+    public async Task<ActionResult<User>> getUser(int id) {
+
         var user = await service_.Get(id);
 
         if (user == null) return NotFound();
@@ -30,9 +32,10 @@ public class UsersController : ControllerBase
         return Ok(user);
     }
 
+    [Authorize] // testing the authorization
     [HttpPost]
-    public async Task<ActionResult<User>> createUser(User user)
-    {
+    public async Task<ActionResult<User>> createUser(User user) {
+
         var created = await service_.Create(user);
 
         return CreatedAtAction(
@@ -42,9 +45,10 @@ public class UsersController : ControllerBase
         );
     }
 
+    [Authorize]
     [HttpPut("{id}")]
-    public async Task<ActionResult<User>> updateUser(int id, User user)
-    {
+    public async Task<ActionResult<User>> updateUser(int id, User user) {
+
         var updated = await service_.Update(user);
 
         if (updated == null) return NotFound();
@@ -52,9 +56,10 @@ public class UsersController : ControllerBase
         return Ok(updated);
     }
 
+    [Authorize]
     [HttpDelete("{id}")]
-    public async Task<ActionResult> deleteUser(int id)
-    {
+    public async Task<ActionResult> deleteUser(int id) {
+
         var success = await service_.Delete(id);
 
         if (!success) return NotFound();
diff --git a/api/src/Models/User.cs b/api/src/Models/User.cs
index b42e2d8..17d0363 100644
--- a/api/src/Models/User.cs
+++ b/api/src/Models/User.cs
@@ -6,5 +6,6 @@ public class User {
     public int Id { get; set; }
     public string Name { get; set; } = "";
     public string Email { get; set; } = "";
+    public string PasswordHash { get; set; } = "";
 
 };
diff --git a/api/src/Services/UserService.cs b/api/src/Services/UserService.cs
index 0b085ec..1f9f247 100644
--- a/api/src/Services/UserService.cs
+++ b/api/src/Services/UserService.cs
@@ -21,6 +21,10 @@ public class UserService {
         return await db_.Users.FindAsync(id);
     }
 
+    public async Task<User?> Get(string username) {
+        return await db_.Users.FirstOrDefaultAsync(u => u.Name == username);
+    }
+
     public async Task<User> Create(User user) {
         db_.Users.Add(user);
         await db_.SaveChangesAsync();