diff --git a/src/main/java/org/openpodcastapi/opa/advice/GlobalModelAttributeAdvice.java b/src/main/java/org/openpodcastapi/opa/advice/GlobalModelAttributeAdvice.java
new file mode 100644
index 0000000..bc8b8ec
--- /dev/null
+++ b/src/main/java/org/openpodcastapi/opa/advice/GlobalModelAttributeAdvice.java
@@ -0,0 +1,29 @@
+package org.openpodcastapi.opa.advice;
+
+import lombok.extern.log4j.Log4j2;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.bind.annotation.ModelAttribute;
+
+import java.security.Principal;
+
+@Log4j2
+@ControllerAdvice
+public class GlobalModelAttributeAdvice {
+
+    @ModelAttribute
+    public void addAuthenticationFlag(Model model) {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        boolean isAuthenticated = authentication != null && authentication.isAuthenticated()
+                && !"anonymousUser".equals(authentication.getPrincipal());
+        model.addAttribute("isAuthenticated", isAuthenticated);
+    }
+
+    @ModelAttribute
+    public void addUserDetails(Principal principal, Model model) {
+        String username = principal != null ? principal.getName() : "Guest";
+        model.addAttribute("username", username);
+    }
+}
\ No newline at end of file
diff --git a/src/main/java/org/openpodcastapi/opa/config/SecurityConfig.java b/src/main/java/org/openpodcastapi/opa/config/SecurityConfig.java
index f13485e..e4363f1 100644
--- a/src/main/java/org/openpodcastapi/opa/config/SecurityConfig.java
+++ b/src/main/java/org/openpodcastapi/opa/config/SecurityConfig.java
@@ -6,7 +6,6 @@
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 
@@ -19,13 +18,22 @@ public class SecurityConfig {
     public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
         http
                 .authorizeHttpRequests(auth -> auth
-                        .requestMatchers("/docs").permitAll()
+                        .requestMatchers("/", "/login", "/logout-confirm", "/register", "/docs", "/css/**", "/js/**", "/images/**", "/favicon.ico").permitAll()
                         .requestMatchers("/admin/**").hasRole("ADMIN")
-                        .requestMatchers("/api/v1/users/**").permitAll()
                         .anyRequest().authenticated())
-                .csrf(AbstractHttpConfigurer::disable)
-                .formLogin(Customizer.withDefaults())
-                .logout(Customizer.withDefaults());
+                .formLogin(login -> login
+                        .loginPage("/login")
+                        .defaultSuccessUrl("/home", true)
+                        .failureUrl("/login?error=true")
+                )
+                .logout(logout -> logout
+                        .logoutUrl("/logout")
+                        .logoutSuccessUrl("/")
+                        .invalidateHttpSession(true)
+                        .clearAuthentication(true)
+                        .deleteCookies("JSESSIONID")
+                )
+                .csrf(Customizer.withDefaults());
         return http.build();
     }
 
diff --git a/src/main/java/org/openpodcastapi/opa/config/TemplateConfig.java b/src/main/java/org/openpodcastapi/opa/config/TemplateConfig.java
index 1a5a6ba..6e442e4 100644
--- a/src/main/java/org/openpodcastapi/opa/config/TemplateConfig.java
+++ b/src/main/java/org/openpodcastapi/opa/config/TemplateConfig.java
@@ -2,7 +2,9 @@
 
 import nz.net.ultraq.thymeleaf.layoutdialect.LayoutDialect;
 import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
 
+@Configuration
 public class TemplateConfig {
     @Bean
     public LayoutDialect layoutDialect() {
diff --git a/src/main/java/org/openpodcastapi/opa/config/WebConfig.java b/src/main/java/org/openpodcastapi/opa/config/WebConfig.java
index 227128b..e98c3f3 100644
--- a/src/main/java/org/openpodcastapi/opa/config/WebConfig.java
+++ b/src/main/java/org/openpodcastapi/opa/config/WebConfig.java
@@ -1,8 +1,10 @@
 package org.openpodcastapi.opa.config;
 
+import org.springframework.context.annotation.Configuration;
 import org.springframework.web.servlet.config.annotation.ResourceHandlerRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 
+@Configuration
 public class WebConfig implements WebMvcConfigurer {
     @Override
     public void addResourceHandlers(ResourceHandlerRegistry registry) {
diff --git a/src/main/java/org/openpodcastapi/opa/ui/controller/AuthController.java b/src/main/java/org/openpodcastapi/opa/ui/controller/AuthController.java
new file mode 100644
index 0000000..90cde9a
--- /dev/null
+++ b/src/main/java/org/openpodcastapi/opa/ui/controller/AuthController.java
@@ -0,0 +1,70 @@
+package org.openpodcastapi.opa.ui.controller;
+
+import jakarta.validation.Valid;
+import lombok.RequiredArgsConstructor;
+import lombok.extern.log4j.Log4j2;
+import org.openpodcastapi.opa.user.dto.CreateUserDto;
+import org.openpodcastapi.opa.user.service.UserService;
+import org.springframework.dao.DataIntegrityViolationException;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.validation.BindingResult;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.ModelAttribute;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestParam;
+
+@Controller
+@Log4j2
+@RequiredArgsConstructor
+public class AuthController {
+    private static final String USER_REQUEST_ATTRIBUTE = "createUserRequest";
+    private static final String REGISTER_TEMPLATE = "auth/register";
+    private final UserService userService;
+
+    // === Login page ===
+    @GetMapping("/login")
+    public String loginPage(@RequestParam(value = "error", required = false) String error,
+                            Model model) {
+        if (error != null) {
+            model.addAttribute("loginError", true);
+        }
+        return "auth/login";
+    }
+
+    // === Logout confirmation page ===
+    @GetMapping("/logout-confirm")
+    public String logoutPage() {
+        return "auth/logout";
+    }
+
+    // === Registration page ===
+    @GetMapping("/register")
+    public String getRegister(Model model) {
+        model.addAttribute(USER_REQUEST_ATTRIBUTE, new CreateUserDto("", "", ""));
+        return REGISTER_TEMPLATE;
+    }
+
+    // === Registration POST handler ===
+    @PostMapping("/register")
+    public String processRegistration(
+            @Valid @ModelAttribute CreateUserDto createUserRequest,
+            BindingResult result,
+            Model model
+    ) {
+        if (result.hasErrors()) {
+            model.addAttribute(USER_REQUEST_ATTRIBUTE, createUserRequest);
+            return REGISTER_TEMPLATE;
+        }
+
+        try {
+            userService.createAndPersistUser(createUserRequest);
+        } catch (DataIntegrityViolationException _) {
+            result.rejectValue("username", "", "Username or email already exists");
+            model.addAttribute(USER_REQUEST_ATTRIBUTE, createUserRequest);
+            return REGISTER_TEMPLATE;
+        }
+
+        return "redirect:/login?registered";
+    }
+}
diff --git a/src/main/java/org/openpodcastapi/opa/ui/controller/HomeController.java b/src/main/java/org/openpodcastapi/opa/ui/controller/HomeController.java
new file mode 100644
index 0000000..23c9f94
--- /dev/null
+++ b/src/main/java/org/openpodcastapi/opa/ui/controller/HomeController.java
@@ -0,0 +1,26 @@
+package org.openpodcastapi.opa.ui.controller;
+
+import lombok.RequiredArgsConstructor;
+import lombok.extern.log4j.Log4j2;
+import org.springframework.security.core.Authentication;
+import org.springframework.stereotype.Controller;
+import org.springframework.web.bind.annotation.GetMapping;
+
+@Controller
+@RequiredArgsConstructor
+@Log4j2
+public class HomeController {
+
+    @GetMapping("/")
+    public String getLandingPage() {
+        return "landing";
+    }
+
+    @GetMapping("/home")
+    public String getHomePage(Authentication auth) {
+        if (auth != null && !auth.isAuthenticated()) {
+            return "redirect:/login";
+        }
+        return "home";
+    }
+}
diff --git a/src/main/resources/templates/auth/login.html b/src/main/resources/templates/auth/login.html
new file mode 100644
index 0000000..398474d
--- /dev/null
+++ b/src/main/resources/templates/auth/login.html
@@ -0,0 +1,42 @@
+<!-- auth/login.html -->
+<!DOCTYPE html>
+<html lang="en" xmlns:th="http://www.thymeleaf.org"
+      xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
+      layout:decorate="~{layouts/main}">
+<head>
+    <title layout:fragment="title">Log in - Open Podcast API</title>
+</head>
+<body>
+<div layout:fragment="content" th:remove>
+    <h1 class="title">Log in</h1>
+    <div>
+        <div th:if="${loginError}" class="has-text-danger">
+            Invalid username or password.
+        </div>
+
+        <form th:action="@{/login}" method="post">
+            <div class="field">
+                <label for="username" class="label">Username</label>
+                <div class="control">
+                    <input autocomplete="username" id="username" name="username" class="input" type="text"
+                           placeholder="Username">
+                </div>
+            </div>
+            <div class="field">
+                <label for="password" class="label">Password</label>
+                <div class="control">
+                    <input autocomplete="current-password" id="password" name="password" class="input" type="password"
+                           placeholder="Password">
+                </div>
+            </div>
+            <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>
+            <div class="field">
+                <div class="control">
+                    <button type="submit" name="submit" class="button is-success">Log in</button>
+                </div>
+            </div>
+        </form>
+    </div>
+</div>
+</body>
+</html>
diff --git a/src/main/resources/templates/auth/logout.html b/src/main/resources/templates/auth/logout.html
new file mode 100644
index 0000000..fd95ef3
--- /dev/null
+++ b/src/main/resources/templates/auth/logout.html
@@ -0,0 +1,22 @@
+<!-- auth/logout.html -->
+<!DOCTYPE html>
+<html lang="en" xmlns:th="http://www.thymeleaf.org"
+      xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
+      layout:decorate="~{layouts/main}">
+<head>
+    <title layout:fragment="title">Log out - Open Podcast API</title>
+</head>
+<body>
+
+<div layout:fragment="content" th:remove>
+    <h1>Are you sure you want to log out?</h1>
+    <div>
+        <form th:action="@{/logout}" method="post">
+            <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>
+            <button type="submit" class="button is-danger">Log out</button>
+        </form>
+    </div>
+</div>
+
+</body>
+</html>
diff --git a/src/main/resources/templates/auth/register.html b/src/main/resources/templates/auth/register.html
new file mode 100644
index 0000000..ab60472
--- /dev/null
+++ b/src/main/resources/templates/auth/register.html
@@ -0,0 +1,51 @@
+<!-- auth/register.html -->
+<!DOCTYPE html>
+<html lang="en" xmlns:th="http://www.thymeleaf.org"
+      xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
+      layout:decorate="~{layouts/main}">
+<head>
+    <title layout:fragment="title">Sign up - Open Podcast API</title>
+</head>
+<body>
+<div layout:fragment="content" th:remove>
+    <h1>Sign up</h1>
+    <form
+            th:object="${createUserRequest}"
+            th:action="@{/register}"
+            method="post">
+        <div class="field">
+            <label for="username" class="label">Username</label>
+            <div class="control">
+                <input id="username" autocomplete="username" name="username" th:field="*{username}" class="input"
+                       type="text"
+                       placeholder="Username">
+                <div th:if="${#fields.hasErrors('username')}" th:errors="*{username}"></div>
+            </div>
+        </div>
+        <div class="field">
+            <label for="email" class="label">Email</label>
+            <div class="control">
+                <input id="email" autocomplete="email" name="email" th:field="*{email}" class="input" type="email"
+                       placeholder="address@example.com">
+                <div th:if="${#fields.hasErrors('email')}" th:errors="*{email}"></div>
+            </div>
+        </div>
+        <div class="field">
+            <label for="password" class="label">Password</label>
+            <div class="control">
+                <input id="password" autocomplete="new-password" name="password" th:field="*{password}"
+                       class="input" type="password"
+                       placeholder="Password">
+                <div th:if="${#fields.hasErrors('password')}" th:errors="*{password}"></div>
+            </div>
+        </div>
+        <input type="hidden" th:name="${_csrf.parameterName}" th:value="${_csrf.token}"/>
+        <div class="field">
+            <div class="control">
+                <input type="submit" name="submit" class="button is-success" value="Submit"/>
+            </div>
+        </div>
+    </form>
+</div>
+</body>
+</html>
diff --git a/src/main/resources/templates/home.html b/src/main/resources/templates/home.html
new file mode 100644
index 0000000..52423f4
--- /dev/null
+++ b/src/main/resources/templates/home.html
@@ -0,0 +1,19 @@
+<!-- home.html -->
+<!--/*@thymesVar id="username" type="String"*/-->
+<!DOCTYPE html>
+<html lang="en" xmlns:th="http://www.thymeleaf.org"
+      xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
+      layout:decorate="~{layouts/main}">
+<head>
+    <title layout:fragment="title">Home - Open Podcast API</title>
+</head>
+<body>
+
+<div layout:fragment="content" th:remove>
+    <article class="content">
+        <h1>Welcome, <span th:text="${username}"></span>!</h1>
+    </article>
+</div>
+
+</body>
+</html>
diff --git a/src/main/resources/templates/landing.html b/src/main/resources/templates/landing.html
new file mode 100644
index 0000000..6773192
--- /dev/null
+++ b/src/main/resources/templates/landing.html
@@ -0,0 +1,47 @@
+<!-- home.html -->
+<!--/*@thymesVar id="username" type="String"*/-->
+<!DOCTYPE html>
+<html lang="en"
+      xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout"
+      layout:decorate="~{layouts/main}">
+<head>
+    <title layout:fragment="title">Open Podcast API</title>
+</head>
+<body>
+
+<div layout:fragment="content">
+    <h1>Welcome to the Open Podcast API reference server</h1>
+    <p>The Open Podcast API is an initiative aiming to provide a feature-complete synchronization API specification for
+        podcast (web) apps and user-focused servers.</p>
+    <h2>Our goals</h2>
+    <div class="columns">
+        <div class="column">
+            <div class="card">
+                <div class="card-content">
+                    <h3 class="title is-4">For users</h3>
+                    <ul>
+                        <li>Synchronize subscriptions, listening progress, favorites, queues, and more</li>
+                        <li>Support multiple apps and online services</li>
+                        <li>Enable users to easily switch between providers without losing any information</li>
+                    </ul>
+                </div>
+            </div>
+        </div>
+        <div class="column">
+            <div class="card">
+                <div class="card-content">
+                    <h3 class="title is-4">For developers</h3>
+                    <ul>
+                        <li>Write clear and comprehensive documentation for features and behaviors</li>
+                        <li>Create reliable specifications that are decentralization-ready and easy to implement</li>
+                        <li>Provide a full <a href="https://spec.openapis.org/oas/latest" rel="noreferrer"
+                                              target="blank">OpenAPI specification</a></li>
+                    </ul>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>
+
+</body>
+</html>
diff --git a/src/main/resources/templates/layouts/main.html b/src/main/resources/templates/layouts/main.html
new file mode 100644
index 0000000..5cd9ebc
--- /dev/null
+++ b/src/main/resources/templates/layouts/main.html
@@ -0,0 +1,25 @@
+<!-- layouts/main.html -->
+<!DOCTYPE html>
+<html class="no-js"
+      xmlns:th="http://www.thymeleaf.org"
+      xmlns:layout="http://www.ultraq.net.nz/thymeleaf/layout" lang="en">
+<head>
+    <meta charset="UTF-8"/>
+    <title id="page-title" layout:fragment="title">Open Podcast API</title>
+    <th:block layout:fragment="head-resources"></th:block>
+    <meta name="viewport" content="width=device-width, initial-scale=1"/>
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bulma@1.0.4/css/bulma.min.css">
+    <script src="https://cdn.jsdelivr.net/npm/htmx.org@4.0.0-alpha1/dist/htmx.min.js"></script>
+</head>
+<body>
+<div id="app" class="columns section" style="min-height: 100vh;">
+    <!-- Sidebar (hidden on mobile) -->
+    <aside th:replace="~{layouts/sidebar :: sidebar}"></aside>
+
+    <!-- Main content -->
+    <main class="container content" id="main-content">
+        <div layout:fragment="content"></div>
+    </main>
+</div>
+</body>
+</html>
diff --git a/src/main/resources/templates/layouts/sidebar.html b/src/main/resources/templates/layouts/sidebar.html
new file mode 100644
index 0000000..10a5de6
--- /dev/null
+++ b/src/main/resources/templates/layouts/sidebar.html
@@ -0,0 +1,10 @@
+<!-- layouts/sidebar.html -->
+<!--/*@thymesVar id="isAuthenticated" type="boolean"*/-->
+<aside th:fragment="sidebar" lang="en" class="column is-one-quarter-tablet is-one-fifth-desktop is-hidden-mobile menu">
+    <p class="menu-label">Account</p>
+    <ul class="menu-list" xmlns:th="http://www.thymeleaf.org" hx-boost="true">
+        <li th:if="${!isAuthenticated}"><a th:href="@{/login}">Log in</a></li>
+        <li th:if="${!isAuthenticated}"><a th:href="@{/register}">Sign up</a></li>
+        <li th:if="${isAuthenticated}"><a th:href="@{/logout-confirm}">Log out</a></li>
+    </ul>
+</aside>