diff --git a/README.md b/README.md
index 037b9e2..7f35604 100644
--- a/README.md
+++ b/README.md
@@ -1,15 +1,17 @@
 # Tabby
 
-A no-auth expense splitting PWA. Create a group via shareable link, add expenses with flexible splits, and get a simplified breakdown of who owes who — minimizing total settlement transactions.
+An expense splitting PWA with Google OAuth. Sign in, create groups, invite friends via shareable links, add expenses with flexible splits, and get a simplified breakdown of who owes who — minimizing total settlement transactions.
 
 Built as a portfolio project demonstrating full-stack TypeScript, AWS cloud-native deployment, and thoughtful API/data modeling.
 
 ## What it does
 
-1. Alice creates a group ("Ski Trip 2026") and gets a shareable link
-2. Friends open the link, enter their name, and join — no signup required
-3. Anyone adds expenses with equal, exact, or percentage-based splits
-4. The app computes a simplified settlement plan: the minimum number of transactions to zero out all balances
+1. Alice signs in with her Google account
+2. She creates a group ("Ski Trip 2026") and gets a shareable invite link
+3. Friends sign in, open the link, and join the group
+4. Anyone adds expenses with equal, exact, or percentage-based splits
+5. The app computes a simplified settlement plan: the minimum number of transactions to zero out all balances
+6. Each user sees all their groups on the home page
 
 ## Tech Stack
 
@@ -18,6 +20,7 @@ Built as a portfolio project demonstrating full-stack TypeScript, AWS cloud-nati
 | Frontend | React 18 + TypeScript + Tailwind CSS + TanStack Query (PWA) |
 | Backend | Fastify 5 + TypeScript |
 | Database | PostgreSQL via Neon (serverless) + Drizzle ORM |
+| Auth | Google OAuth 2.0 (authorization code flow) |
 | Hosting | AWS Lambda + API Gateway (backend) + Cloudflare Pages (frontend) |
 | IaC | Terraform + Terraform Cloud |
 | CI/CD | GitHub Actions |
@@ -25,13 +28,14 @@ Built as a portfolio project demonstrating full-stack TypeScript, AWS cloud-nati
 
 ## Key Design Decisions
 
-- **No auth** — identity is a name + httpOnly session cookie per group. No accounts, no friction.
+- **Google OAuth** — persistent identity across devices. Users sign in with Google, sessions stored in the database with hashed tokens in httpOnly cookies. Supports multi-group membership from a single account.
+- **Dual-path session resolution** — backward-compatible with pre-auth anonymous sessions. New sessions resolve through the `sessions` table; legacy anonymous sessions fall back to `members.sessionToken`.
 - **Debt simplification** — a greedy algorithm computes net balances and pairs max creditors against max debtors to minimize settlement transactions (O(n log n), optimal for small groups).
 - **Integer cents** — all arithmetic is done in integer cents internally; stored as `DECIMAL(10,2)` in Postgres. Never `FLOAT`.
 - **On-the-fly balance computation** — balances are recomputed from raw `ExpenseSplit` records on each request. No cache to go stale.
 - **Neon HTTP driver** — Drizzle connects to Neon via `@neondatabase/serverless`. Stateless per Lambda invocation — no connection pool config, no VPC required.
 - **TanStack Query** — declarative server-state management on the frontend. Handles caching, background polling (12s interval), and online/offline coordination via `onlineManager`.
-- **SSM Parameter Store** — secrets fetched at Lambda cold start, never in environment variables or source code.
+- **SSM Parameter Store** — secrets (including Google OAuth credentials) fetched at Lambda cold start, never in environment variables or source code.
 - **Activity-based expiry** — groups expire 90 days after the last expense. Expired groups reject all write operations with `410 Gone`; read endpoints (balances, expenses) continue to work. Ghost members (those who left) remain in balance calculations to keep the ledger accurate.
 - **Rate limiting** — global 100 requests/minute per IP; tighter limits on sensitive endpoints: 30 expense submissions/hour per member, 10 group joins/minute per IP.
 
@@ -39,27 +43,30 @@ Built as a portfolio project demonstrating full-stack TypeScript, AWS cloud-nati
 
 ```
 Browser (React PWA)
-    │  serves via
+    |  serves via
 Cloudflare Pages
-    │
-    └─ /api/v1/*  → API Gateway (HTTP API)
-                         │
+    |
+    +- /api/v1/*  -> API Gateway (HTTP API)
+                         |
                     Lambda (Fastify)
-                         │
+                         |
                   Neon PostgreSQL (Drizzle, HTTP driver)
+                         |
+                  Google OAuth (token exchange)
 ```
 
 ## Monorepo Structure
 
 ```
 split-expenses/
-├── packages/
-│   ├── api/          Fastify backend (Lambda-compatible)
-│   ├── web/          React PWA (Vite + Tailwind)
-│   └── shared/       Shared TypeScript types
-├── infra/            Terraform (AWS infrastructure)
-├── .github/
-│   └── workflows/    GitHub Actions CI/CD
++-- packages/
+|   +-- api/          Fastify backend (Lambda-compatible)
+|   +-- web/          React PWA (Vite + Tailwind)
+|   +-- shared/       Shared TypeScript types
++-- infra/            Terraform (AWS infrastructure)
++-- .github/
+|   +-- workflows/    GitHub Actions CI/CD
++-- docs/             Design spec, TODO, future features
 ```
 
 ## Local Development
@@ -68,6 +75,7 @@ split-expenses/
 
 - Node.js 22+
 - A [Neon](https://neon.tech) account with two databases: `tabby_prod` (production) and `tabby_test` (dev/test)
+- A [Google Cloud](https://console.cloud.google.com) project with OAuth 2.0 credentials
 
 ### First-Time Setup
 
@@ -78,10 +86,17 @@ npm install
 # Build shared types
 npm run build --workspace=packages/shared
 
-# Copy env files and fill in your Neon connection strings
+# Copy env files and fill in your values
 cp packages/api/.env.example packages/api/.env
 cp packages/web/.env.example packages/web/.env
 
+# Required env vars in packages/api/.env:
+#   DATABASE_URL         - Neon connection string
+#   COOKIE_SECRET        - random string (openssl rand -base64 32)
+#   GOOGLE_CLIENT_ID     - from Google Cloud Console
+#   GOOGLE_CLIENT_SECRET - from Google Cloud Console
+#   GOOGLE_REDIRECT_URI  - http://localhost:3000/api/v1/auth/google/callback
+
 # Push schema to your Neon dev database
 cd packages/api && npx drizzle-kit push
 ```
@@ -117,17 +132,23 @@ All routes prefixed `/api/v1`. OpenAPI docs at `/docs` when running locally.
 
 | Method | Path | Auth | Description |
 |--------|------|------|-------------|
-| `POST` | `/groups` | None | Create group + owner session |
+| `GET` | `/auth/google` | None | Redirect to Google OAuth |
+| `GET` | `/auth/google/callback` | None | OAuth callback |
+| `GET` | `/auth/me` | Session | Current user |
+| `POST` | `/auth/logout` | Session | End session |
+| `GET` | `/me/groups` | Session | List user's groups |
+| `POST` | `/groups` | Session | Create group |
 | `GET` | `/groups/invite/:inviteCode` | None | Group metadata for join preview |
-| `POST` | `/groups/invite/:inviteCode/join` | None | Join group, receive session |
+| `POST` | `/groups/invite/:inviteCode/join` | Session | Join group |
 | `GET` | `/groups/:id` | Session | Fetch group by stable ID |
+| `GET` | `/groups/:id/me` | Session | Current user's member record |
 | `GET` | `/groups/:id/members` | Session | List active members |
 | `DELETE` | `/groups/:id/members/:memberId` | Admin+ | Remove member |
 | `POST` | `/groups/:id/expenses` | Session | Add expense with splits |
 | `GET` | `/groups/:id/expenses` | Session | List all expenses |
 | `PATCH` | `/groups/:id/expenses/:expenseId` | Session | Edit expense |
 | `DELETE` | `/groups/:id/expenses/:expenseId` | Session | Delete expense |
-| `GET` | `/groups/:id/balances` | Session | Net balances + settlement plan. `Balance.netCents` and `Settlement.amount` are **integer cents** (divide by 100 for dollars). Includes ghost members (those who left) to keep the ledger accurate. |
+| `GET` | `/groups/:id/balances` | Session | Net balances + settlement plan (integer cents) |
 | `PATCH` | `/groups/:id/settings` | Owner | Update name / regenerate invite |
 | `GET` | `/groups/:id/activity` | Session | Activity log (most recent 50 entries) |
 
@@ -145,18 +166,18 @@ All routes prefixed `/api/v1`. OpenAPI docs at `/docs` when running locally.
 
 | Action | Member | Admin | Owner |
 |--------|--------|-------|-------|
-| Add expenses | ✅ | ✅ | ✅ |
-| Edit/delete own expense | ✅ | ✅ | ✅ |
-| Edit/delete any expense | ❌ | ✅ | ✅ |
-| Remove members | ❌ | ✅ | ✅ |
-| Manage group settings | ❌ | ❌ | ✅ |
+| Add expenses | yes | yes | yes |
+| Edit/delete own expense | yes | yes | yes |
+| Edit/delete any expense | no | yes | yes |
+| Remove members | no | yes | yes |
+| Manage group settings | no | no | yes |
 
-**Ownership recovery:** If the owner's session is lost, ownership transfers lazily to an admin (or oldest active member) on the next owner-level action.
+**Ownership recovery:** With Google OAuth, ownership is tied to the user account rather than a browser session. If ownership needs to transfer, it happens lazily to an admin (or oldest active member) on the next owner-level action.
 
 ## AWS Architecture Notes
 
 - **Lambda cold starts:** Neon HTTP driver (`@neondatabase/serverless`) is stateless — no connection pool config, no VPC required. Each Lambda invocation connects to Neon over HTTPS.
-- **Secrets:** Neon connection string and cookie secret stored in SSM Parameter Store as `SecureString`, fetched once at cold start and cached in memory.
+- **Secrets:** Neon connection string, cookie secret, and Google OAuth credentials stored in SSM Parameter Store as `SecureString`, fetched once at cold start and cached in memory.
 - **CDN strategy:** Cloudflare Pages handles CDN, HTTPS, and SPA routing automatically — no cache invalidation step needed.
 
 ## CI/CD Pipeline
@@ -164,7 +185,7 @@ All routes prefixed `/api/v1`. OpenAPI docs at `/docs` when running locally.
 | Trigger | Jobs |
 |---------|------|
 | PR | Lint, TypeScript, Unit tests, Integration tests, Build check (parallel) |
-| `v*` tag | Full test suite → Terraform plan + apply (manual approval gate) → Lambda deploy → Cloudflare Pages deploy |
+| `v*` tag | Full test suite -> Terraform plan + apply (manual approval gate) -> Lambda deploy -> Cloudflare Pages deploy |
 
 ## License
 
diff --git a/docs/FUTURE.md b/docs/FUTURE.md
new file mode 100644
index 0000000..baa4ecf
--- /dev/null
+++ b/docs/FUTURE.md
@@ -0,0 +1,40 @@
+# Tabby — Future Features
+
+---
+
+### v2 Features
+
+- [ ] **Admin role management** — no endpoint or UI to promote members to admin or demote admins; needs a new API route (`PATCH /groups/:id/members/:memberId/role`) and SettingsPage UI (owner capability per design spec)
+- [ ] **Push notifications** for new expenses (service worker integration, Notification API)
+- [ ] **WebSocket real-time updates** (API Gateway WebSocket APIs, connection management)
+- [ ] **Offline expense queue** (IndexedDB, sync on reconnect)
+- [ ] **Expense categories with spending breakdowns** (data viz, charting)
+- [ ] **Settle-up flow with Venmo/Zelle deep links** (mobile deep linking)
+- [ ] **Export ledger to CSV**
+- [ ] **Scheduled data cleanup** — soft-delete expired group data 30 days after expiration via EventBridge + Lambda
+
+---
+
+### Testing
+
+- [ ] **Rate limit test** — 31st expense within an hour should return 429 (currently untested)
+- [ ] **Expense edit test** — add integration test for `PATCH /groups/:id/expenses/:expenseId` (endpoint exists but has no test)
+- [ ] **Group expiration test** — verify that posting to an expired group returns 410 (logic exists, untested)
+- [x] **Permission enforcement tests** — member cannot remove another member (should 403); member cannot delete someone else's expense (should 403) *(covered in `api.test.ts`)*
+
+---
+
+### Developer Experience
+
+- [ ] **Pre-push typecheck hook** — add `.git/hooks/pre-push` to run `npm run typecheck` before each push
+- [ ] **Mobile QA** — test layout on iPhone Safari and Android Chrome
+- [ ] **PWA install** — verify install prompt on Android Chrome and iOS "Add to Home Screen"
+- [ ] **Load test** — 50-member group, 200 expenses, verify `/balances` responds in <500ms
+- [ ] **SNS alarms** — wire CloudWatch alarms to an SNS topic + email subscription
+
+---
+
+### Infrastructure
+
+- [x] **Terraform state locking** — handled automatically by Terraform Cloud (migrated from S3 backend)
+- [ ] **Lambda provisioned concurrency** — optional; eliminates cold-start latency on the first request after inactivity; set to 1 on the production alias once traffic justifies it
diff --git a/docs/TODO.md b/docs/TODO.md
index a8c5792..80b4fa8 100644
--- a/docs/TODO.md
+++ b/docs/TODO.md
@@ -34,8 +34,19 @@ Go to **Settings → Secrets and variables → Actions** and add:
 - [x] `CLOUDFLARE_ACCOUNT_ID` — from Cloudflare dashboard
 - [x] `TF_API_TOKEN` — from Terraform Cloud → User Settings → Tokens
 - [x] `PROD_CORS_ORIGIN` — Cloudflare Pages URL (e.g. `https://tabby.pages.dev`) or custom domain
+- [x] `GOOGLE_CLIENT_ID` — from Google Cloud Console OAuth credentials
+- [x] `GOOGLE_CLIENT_SECRET` — from Google Cloud Console OAuth credentials
 - [ ] `SENTRY_DSN` — from Sentry.io project settings (optional)
 
+#### Google Cloud OAuth
+
+- [x] Create a Google Cloud project and OAuth consent screen
+- [x] Create OAuth 2.0 client credentials (Web application type)
+- [x] Add authorized redirect URIs:
+  - `http://localhost:3000/api/v1/auth/google/callback` (local dev)
+  - `https://<api-gateway-url>/api/v1/auth/google/callback` (production)
+- [x] Add `GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET`, `GOOGLE_REDIRECT_URI` to `packages/api/.env`
+
 #### GitHub Environments
 
 - [x] Create `production` environment with required reviewers to gate the Terraform apply
@@ -53,31 +64,4 @@ Go to **Settings → Secrets and variables → Actions** and add:
 
 ---
 
-### Remaining Code Work
-
-#### v2 Features
-
-- [ ] **Edit expense UI** — backend (`PATCH /groups/:id/expenses/:expenseId`) and `api.updateExpense()` are fully implemented; only the DashboardPage edit button + modal is missing
-- [ ] **Admin role management** — no endpoint or UI to promote members to admin or demote admins; needs a new API route (`PATCH /groups/:id/members/:memberId/role`) and SettingsPage UI (owner capability per design spec)
-- [ ] **`GET /groups/:id/me` endpoint** — would let the API identify the current member directly, removing reliance on `member_hint_${groupId}` localStorage
-- [ ] **Custom confirmation dialogs** — replace browser `confirm()` popups (delete expense, remove member, regenerate link) with styled in-app modals; currently works but looks jarring
-
-#### Testing
-
-- [ ] **Rate limit test** — 31st expense within an hour should return 429 (currently untested)
-- [ ] **Expense edit test** — add integration test for `PATCH /groups/:id/expenses/:expenseId` (endpoint exists but has no test)
-- [ ] **Group expiration test** — verify that posting to an expired group returns 410 (logic exists, untested)
-- [x] **Permission enforcement tests** — member cannot remove another member (should 403); member cannot delete someone else's expense (should 403) *(covered in `api.test.ts`)*
-
-#### Developer Experience
-
-- [ ] **Pre-push typecheck hook** — add `.git/hooks/pre-push` to run `npm run typecheck` before each push
-- [ ] **Mobile QA** — test layout on iPhone Safari and Android Chrome
-- [ ] **PWA install** — verify install prompt on Android Chrome and iOS "Add to Home Screen"
-- [ ] **Load test** — 50-member group, 200 expenses, verify `/balances` responds in <500ms
-- [ ] **SNS alarms** — wire CloudWatch alarms to an SNS topic + email subscription
-
-#### Infrastructure
-
-- [x] **Terraform state locking** — handled automatically by Terraform Cloud (migrated from S3 backend)
-- [ ] **Lambda provisioned concurrency** — optional; eliminates cold-start latency on the first request after inactivity; set to 1 on the production alias once traffic justifies it
+See [FUTURE.md](FUTURE.md) for planned features and remaining code work.
diff --git a/docs/design-spec.md b/docs/design-spec.md
index 43b83cb..c8c2acd 100644
--- a/docs/design-spec.md
+++ b/docs/design-spec.md
@@ -1,6 +1,6 @@
 # Tabby — Technical Design Spec
 
-A no-auth expense splitting PWA. Create a group via shareable link, add expenses with flexible splits, and get a simplified breakdown of who owes who — minimizing total settlement transactions.
+An expense splitting PWA with Google OAuth. Sign in, create groups, invite friends via shareable links, add expenses with flexible splits, and get a simplified breakdown of who owes who — minimizing total settlement transactions.
 
 **Primary goal:** Portfolio project and interview talking point, with potential to ship to real users.
 
@@ -8,24 +8,30 @@ A no-auth expense splitting PWA. Create a group via shareable link, add expenses
 
 ## User Flow
 
-1. Alice opens Tabby and creates a new group ("Ski Trip 2026")
-2. She gets a shareable link (e.g., `tabby.app/g/x7Kp9m`)
-3. Alice shares the link with Bob and Carol
-4. Bob opens the link, enters his name, and is added to the group
-5. Alice adds a $150 dinner expense, split equally three ways
-6. Bob adds a $60 gas expense, split between himself and Carol
-7. Everyone sees a live balance dashboard: net debts and a simplified settlement plan
-8. Carol sees she owes Alice $50 and Bob $30 — two transactions to settle up
+1. Alice signs in to Tabby with her Google account
+2. She creates a new group ("Ski Trip 2026") from her home page
+3. She gets a shareable invite link (e.g., `tabby.app/g/x7Kp9m`)
+4. Alice shares the link with Bob and Carol
+5. Bob signs in with Google, opens the link, enters his display name, and joins the group
+6. Alice adds a $150 dinner expense, split equally three ways
+7. Bob adds a $60 gas expense, split between himself and Carol
+8. Everyone sees a live balance dashboard: net debts and a simplified settlement plan
+9. Carol sees she owes Alice $50 and Bob $30 — two transactions to settle up
+10. Back on the home page, each user sees all their groups in one list
 
 ---
 
 ## Core Features (v1)
 
-- **Group creation** via shareable link, no signup or account required
+- **Google OAuth authentication** — sign in with Google, persistent sessions across devices
+- **Multi-group support** — home page listing all your groups, create and join multiple groups
+- **Group creation** via shareable invite link
 - **Flexible expense splitting:** equal, exact amounts, or percentage-based
+- **Expense editing** — edit previously created expenses (owner or admin)
 - **Real-time balance dashboard** showing net debts per person
 - **Debt simplification algorithm** to minimize settlement transactions
 - **Installable PWA** on mobile and desktop via service workers and web manifest
+- **Branding** — Tabby cat logo, cat silhouette background pattern, "Keep your tabs in check." tagline
 
 ---
 
@@ -74,27 +80,40 @@ Balances are computed **on-the-fly** by querying all `ExpenseSplit` records for
 
 ## Identity & Session Design
 
-**Approach:** Name entry per group + browser-local token
+**Approach:** Google OAuth + dual-path session resolution
 
-When a user opens a group link and enters their name, the server generates a session token stored in the browser as an **httpOnly cookie**. This token "claims" that name within the group.
+Users sign in with their Google account via a standard OAuth 2.0 authorization code flow. On successful authentication, the server creates a `User` record (or updates it if returning) and a `Session` record, then sets an httpOnly cookie containing a random session token.
 
-**Why httpOnly cookie over localStorage:** A cookie is a small piece of data the browser stores and automatically sends with every request to the relevant server — you don't need any JavaScript to manage it, the browser handles it transparently. The `httpOnly` flag on a cookie tells the browser: "don't let JavaScript read or touch this, ever." That matters because of XSS (Cross-Site Scripting) attacks — if a malicious script somehow gets injected into the page, it can read everything in `localStorage` and steal session tokens. An `httpOnly` cookie is completely invisible to JavaScript, so even a successful XSS attack can't extract it. For a no-auth app handling financial data, this is the correct default.
+### OAuth Flow
 
-**Token storage:** The plaintext token is sent to the browser as an httpOnly cookie. Before being written to the database, it is hashed with SHA-256 — the database never stores the raw token. If the database is compromised, the stored hashes cannot be used to forge sessions.
+1. Frontend redirects to `GET /api/v1/auth/google` with an optional `redirect` query param
+2. Server generates a CSRF state token, stores it in a short-lived `oauth_state` cookie alongside the redirect target, and redirects to Google's consent screen
+3. Google redirects back to `GET /api/v1/auth/google/callback` with an authorization code and state
+4. Server validates the CSRF state, exchanges the code for an access token via Google's token endpoint (raw `fetch`, no OAuth library), fetches the user profile, upserts the `users` table, creates a session, sets the session cookie, and redirects to the frontend
+5. Frontend's `AuthProvider` fetches `GET /api/v1/auth/me` on mount to hydrate the current user
 
-**What this gives us:**
-- No signup friction — just enter a name and go
-- Returning users on the same browser are recognized automatically
-- Prevents casual impersonation (someone else can't add expenses as "Alice" without her token)
+### Session Resolution (Dual-Path)
+
+The session middleware resolves requests through two paths for backward compatibility with pre-auth anonymous sessions:
+
+1. **New path (authenticated users):** Cookie → SHA-256 hash → lookup in `sessions` table → join `users` → set `request.user`
+2. **Legacy fallback (anonymous members):** Cookie → SHA-256 hash → lookup in `members.sessionToken` → set `request.member`
 
-**Known limitations:**
-- Switching devices loses your session (no way to reclaim without auth)
-- Clearing browser data loses identity
-- Deliberately sharing your token lets someone impersonate you
+For group-scoped routes, if `request.user` is set, the middleware resolves `request.member` by matching `userId + groupId` in the members table. This allows authenticated users to access groups they belong to without any separate per-group token.
 
-**Why not go further:**
-- Magic links add friction that conflicts with the "instant, no-signup" pitch
-- Full auth (OAuth, email/password) is overkill for a trip expense splitter and changes the product identity entirely
+### Security
+
+**Why httpOnly cookie:** The `httpOnly` flag prevents JavaScript from accessing the cookie, protecting against XSS attacks. Even if a malicious script is injected, it cannot extract the session token.
+
+**Token storage:** The plaintext token is sent to the browser as an httpOnly cookie. Before being written to the database, it is hashed with SHA-256 — the database never stores the raw token. If the database is compromised, the stored hashes cannot be used to forge sessions.
+
+**CSRF protection:** The OAuth flow uses a state parameter stored in a short-lived cookie to prevent CSRF attacks during the authorization code exchange.
+
+**What this gives us:**
+- Persistent identity across devices — sign in on any browser with your Google account
+- Multi-group support — one user account, many groups
+- Strong identity guarantees — Google-verified email, no casual impersonation
+- Backward compatibility — existing anonymous sessions continue working via the legacy fallback path
 
 ---
 
@@ -102,6 +121,8 @@ When a user opens a group link and enters their name, the server generates a ses
 
 ```mermaid
 erDiagram
+    User ||--o{ Session : "has"
+    User ||--o{ Member : "is"
     Group ||--o{ Member : "has"
     Group ||--o{ Expense : "contains"
     Group ||--o{ ActivityLog : "logs"
@@ -109,6 +130,23 @@ erDiagram
     Expense ||--o{ ExpenseSplit : "split into"
     Member ||--o{ ExpenseSplit : "owes"
 
+    User {
+        UUID id PK
+        string email
+        string name
+        string avatar_url
+        string google_id
+        timestamp created_at
+    }
+
+    Session {
+        UUID id PK
+        UUID user_id FK
+        string token_hash
+        timestamp created_at
+        timestamp expires_at
+    }
+
     Group {
         UUID id PK
         string name
@@ -120,6 +158,7 @@ erDiagram
     Member {
         UUID id PK
         UUID group_id FK
+        UUID user_id FK
         string display_name
         enum role
         string session_token
@@ -154,6 +193,21 @@ erDiagram
 ```
 
 ```
+User
+├── id (UUID)
+├── email (unique)
+├── name
+├── avatar_url (nullable — Google profile picture)
+├── google_id (unique — Google OAuth subject ID)
+└── created_at
+
+Session
+├── id (UUID)
+├── user_id (FK → User, cascade delete)
+├── token_hash (unique — SHA-256 of the session token)
+├── created_at
+└── expires_at (30 days from creation)
+
 Group
 ├── id (UUID)
 ├── name ("Ski Trip 2026")
@@ -164,9 +218,10 @@ Group
 Member
 ├── id (UUID)
 ├── group_id (FK → Group, cascade delete)
+├── user_id (FK → User, nullable — null for legacy anonymous members)
 ├── display_name ("Alice")
 ├── role (owner | admin | member)
-├── session_token (hashed)
+├── session_token (hashed, nullable — null for authenticated members)
 ├── joined_at
 └── left_at (nullable — set when member leaves, keeps balance in ledger)
 
@@ -217,7 +272,7 @@ AWS is a deliberate learning goal — demonstrating cloud-native deployment patt
 - **Lambda + API Gateway:** Serverless API layer. Cold start mitigation via provisioned concurrency on critical paths (group creation, expense submission).
 - **Neon (serverless PostgreSQL):** Serverless Postgres accessed via Neon's HTTP driver (`@neondatabase/serverless`). Stateless by design — no connection pool configuration needed, no VPC required. Lambda connects over HTTPS on each invocation; the driver bundles into the Lambda zip with no native binaries. Eliminates the ~$13–15/mo RDS cost after the AWS free tier expires.
 - **Cloudflare Pages:** Static hosting for the React PWA. Cloudflare Pages provides CDN, HTTPS, and SPA routing out of the box — with unlimited free bandwidth and no expiring free tier. Chosen over CloudFront + S3 because AWS's free tier expires after 12 months, and Cloudflare simplifies deployment to a single `wrangler pages deploy` command (no S3 sync + cache invalidation).
-- **Secrets management:** The Neon connection string and other secrets are stored in **AWS SSM Parameter Store** (free tier) and fetched at Lambda cold start, then cached in memory. Never passed as plain environment variables in production. SSM Parameter Store keeps secrets encrypted at rest, access-controlled via IAM, and auditable (you can see who fetched a secret and when). Lambda fetches the value once at cold start and holds it in memory for the lifetime of that instance — it's never written to logs and never appears in the Lambda configuration visible in the console.
+- **Secrets management:** The Neon connection string, Google OAuth credentials (`GOOGLE_CLIENT_ID`, `GOOGLE_CLIENT_SECRET`, `GOOGLE_REDIRECT_URI`), and other secrets are stored in **AWS SSM Parameter Store** (free tier) and fetched at Lambda cold start, then cached in memory. Never passed as plain environment variables in production. SSM Parameter Store keeps secrets encrypted at rest, access-controlled via IAM, and auditable (you can see who fetched a secret and when). Lambda fetches the value once at cold start and holds it in memory for the lifetime of that instance — it's never written to logs and never appears in the Lambda configuration visible in the console.
 - **Infrastructure as Code:** Terraform — more portable than CDK/CloudFormation, widely adopted across the industry, and adds a non-AWS-specific skill to the resume. State is stored in **Terraform Cloud** (free for up to 500 resources) — chosen over an S3 backend to eliminate another expiring AWS free tier dependency while gaining built-in state locking, versioning, and a UI for state inspection. Terraform manages: Lambda function + IAM role, API Gateway (HTTP API), SSM Parameter Store entries.
 
 **Architecture decisions to discuss in interviews:**
@@ -236,21 +291,27 @@ REST API served via Fastify. All routes are prefixed `/api/v1`. OpenAPI docs aut
 
 | Method | Path | Auth | Description |
 |--------|------|------|-------------|
-| `POST` | `/groups` | None | Create a new group; returns group + owner session token |
+| `GET` | `/auth/google` | None | Redirect to Google OAuth consent screen |
+| `GET` | `/auth/google/callback` | None | OAuth callback — exchanges code, creates session, redirects to frontend |
+| `GET` | `/auth/me` | Session | Return current authenticated user or 401 |
+| `POST` | `/auth/logout` | Session | Delete session and clear cookie |
+| `GET` | `/me/groups` | Session | List all groups the authenticated user belongs to |
+| `POST` | `/groups` | Session | Create a new group (creator becomes owner) |
 | `GET` | `/groups/invite/:inviteCode` | None | Fetch group metadata by invite code (for join page) |
-| `POST` | `/groups/invite/:inviteCode/join` | None | Enter a name, receive a session token |
-| `GET` | `/groups/:id` | Session token | Fetch group name and invite code by stable ID (for settings page) |
-| `GET` | `/groups/:id/members` | Session token | List active members |
+| `POST` | `/groups/invite/:inviteCode/join` | Session | Join a group (checks for existing membership) |
+| `GET` | `/groups/:id` | Session | Fetch group name and invite code by stable ID (for settings page) |
+| `GET` | `/groups/:id/me` | Session | Return the current user's member record for this group |
+| `GET` | `/groups/:id/members` | Session | List active members |
 | `DELETE` | `/groups/:id/members/:memberId` | Admin+ | Remove a member |
-| `POST` | `/groups/:id/expenses` | Session token | Add an expense with splits |
-| `GET` | `/groups/:id/expenses` | Session token | List all expenses |
-| `PATCH` | `/groups/:id/expenses/:expenseId` | Session token | Edit an expense (owner of expense or admin) |
-| `DELETE` | `/groups/:id/expenses/:expenseId` | Session token | Delete an expense (owner of expense or admin) |
-| `GET` | `/groups/:id/balances` | Session token | Compute and return net balances + settlement plan. `Balance.netCents` and `Settlement.amount` are **integer cents**. Intentionally includes ghost members (those who left) so the ledger stays accurate after someone leaves. |
+| `POST` | `/groups/:id/expenses` | Session | Add an expense with splits |
+| `GET` | `/groups/:id/expenses` | Session | List all expenses |
+| `PATCH` | `/groups/:id/expenses/:expenseId` | Session | Edit an expense (owner of expense or admin) |
+| `DELETE` | `/groups/:id/expenses/:expenseId` | Session | Delete an expense (owner of expense or admin) |
+| `GET` | `/groups/:id/balances` | Session | Compute and return net balances + settlement plan. `Balance.netCents` and `Settlement.amount` are **integer cents**. Intentionally includes ghost members (those who left) so the ledger stays accurate after someone leaves. |
 | `PATCH` | `/groups/:id/settings` | Owner | Update group name, invite link |
-| `GET` | `/groups/:id/activity` | Session token | Fetch activity log (ownership transfers, etc.) — returns the 50 most recent entries, no pagination |
+| `GET` | `/groups/:id/activity` | Session | Fetch activity log (ownership transfers, etc.) — returns the 50 most recent entries, no pagination |
 
-**Auth model:** Session token passed as an httpOnly cookie. Middleware resolves the token to a `Member` record and attaches it to the request context. Permission checks (role enforcement) happen in route handlers, not the UI.
+**Auth model:** Google OAuth session token passed as an httpOnly cookie. Session middleware resolves the token to a `User` record via the `sessions` table, then resolves the user's `Member` record for group-scoped routes. Legacy anonymous sessions (pre-auth members with `sessionToken` on the `members` table) continue to work via a fallback path. Permission checks (role enforcement) happen in route handlers, not the UI.
 
 ---
 
@@ -273,7 +334,7 @@ Three roles, enforced server-side:
 - Manage group settings (name, expiration, invite link regeneration)
 - Promote members to admin, demote admins back to member
 - Cannot be removed from the group
-- **Ownership recovery:** If the owner loses their session token (new device, cleared storage), ownership automatically transfers to the first available admin, or if no admins exist, to the earliest-joined active member — triggered lazily the next time an owner-level action is attempted (not immediately, to avoid unnecessary promotions). There is no manual claim action; the transfer happens automatically and silently. The transfer is recorded as a group activity feed entry (e.g., "Alice is now the group owner") so members are aware of the change without a separate notification system.
+- **Ownership recovery:** With Google OAuth, ownership is tied to the user's account (not a browser session), so ownership loss from clearing browser data is no longer an issue. If ownership needs to transfer for other reasons, it automatically transfers to the first available admin, or if no admins exist, to the earliest-joined active member — triggered lazily the next time an owner-level action is attempted. The transfer is recorded as a group activity feed entry (e.g., "Alice is now the group owner").
 
 **Admin** (promoted by the owner):
 - Add and remove members
@@ -375,7 +436,9 @@ Focus on making sure core functionality works, not chasing coverage numbers.
 ## Resolved Decisions
 
 - **Leaving a group with outstanding balances:** Ghost member approach — the member is removed from the active list but their name and balance remain in the ledger for accurate settlement math. Implemented via a `left_at` timestamp on the Member table; UI filters them from the active view but includes them in balance calculations.
-- **Session token storage:** httpOnly cookie — not localStorage. httpOnly cookies are inaccessible to JavaScript (XSS-safe); localStorage is not. CSRF risk is acceptable given the no-auth, low-stakes context.
+- **Authentication:** Google OAuth via raw fetch to Google token endpoint (no `@fastify/oauth2` dependency). Chosen over email/password (no password management burden), magic links (requires email infrastructure), and anonymous-only (too limited for multi-group support). CSRF protection via state parameter in OAuth flow.
+- **Session token storage:** httpOnly cookie — not localStorage. httpOnly cookies are inaccessible to JavaScript (XSS-safe); localStorage is not.
+- **Dual-path session resolution:** Backward-compatible design supporting both new authenticated sessions (via `sessions` table) and legacy anonymous sessions (via `members.sessionToken`). No forced migration — anonymous members remain functional alongside authenticated members.
 - **Group expiration:** Activity-based (90 days from last expense), not creation-based. Simpler, better product behavior, removes the need for a "never expires" settings toggle.
 - **Financial arithmetic:** Integer cents internally, stored as `DECIMAL(10,2)` in PostgreSQL. Never `FLOAT` — avoids rounding errors for financial data.
 - **Abuse mitigation:** Simple caps for v1 — max 50 members per group, $10,000 per individual expense, 30 expense submissions per hour per member. No reporting UI — group owner can remove bad actors.
diff --git a/infra/main.tf b/infra/main.tf
index 639f379..49ce5da 100644
--- a/infra/main.tf
+++ b/infra/main.tf
@@ -28,12 +28,15 @@ locals {
 }
 
 module "ssm" {
-  source        = "./modules/ssm"
-  prefix        = local.prefix
-  tags          = local.tags
-  database_url  = var.neon_database_url
-  cookie_secret = var.cookie_secret
-  cors_origin   = var.cors_origin
+  source               = "./modules/ssm"
+  prefix               = local.prefix
+  tags                 = local.tags
+  database_url         = var.neon_database_url
+  cookie_secret        = var.cookie_secret
+  cors_origin          = var.cors_origin
+  google_client_id     = var.google_client_id
+  google_client_secret = var.google_client_secret
+  google_redirect_uri  = var.google_redirect_uri
 }
 
 module "lambda" {
diff --git a/infra/modules/ssm/main.tf b/infra/modules/ssm/main.tf
index 06dbdc7..9dc653c 100644
--- a/infra/modules/ssm/main.tf
+++ b/infra/modules/ssm/main.tf
@@ -20,6 +20,19 @@ variable "cors_origin" {
   type = string
 }
 
+variable "google_client_id" {
+  type = string
+}
+
+variable "google_client_secret" {
+  type      = string
+  sensitive = true
+}
+
+variable "google_redirect_uri" {
+  type = string
+}
+
 resource "aws_ssm_parameter" "database_url" {
   name        = "/${var.prefix}/DATABASE_URL"
   type        = "SecureString"
@@ -44,6 +57,30 @@ resource "aws_ssm_parameter" "cors_origin" {
   tags        = var.tags
 }
 
+resource "aws_ssm_parameter" "google_client_id" {
+  name        = "/${var.prefix}/GOOGLE_CLIENT_ID"
+  type        = "String"
+  value       = var.google_client_id
+  description = "Google OAuth client ID"
+  tags        = var.tags
+}
+
+resource "aws_ssm_parameter" "google_client_secret" {
+  name        = "/${var.prefix}/GOOGLE_CLIENT_SECRET"
+  type        = "SecureString"
+  value       = var.google_client_secret
+  description = "Google OAuth client secret"
+  tags        = var.tags
+}
+
+resource "aws_ssm_parameter" "google_redirect_uri" {
+  name        = "/${var.prefix}/GOOGLE_REDIRECT_URI"
+  type        = "String"
+  value       = var.google_redirect_uri
+  description = "Google OAuth redirect URI"
+  tags        = var.tags
+}
+
 output "path_prefix" {
   value = "/${var.prefix}"
 }
diff --git a/infra/variables.tf b/infra/variables.tf
index 33c2aa0..83fe691 100644
--- a/infra/variables.tf
+++ b/infra/variables.tf
@@ -30,3 +30,19 @@ variable "cookie_secret" {
   type        = string
   sensitive   = true
 }
+
+variable "google_client_id" {
+  description = "Google OAuth client ID"
+  type        = string
+}
+
+variable "google_client_secret" {
+  description = "Google OAuth client secret"
+  type        = string
+  sensitive   = true
+}
+
+variable "google_redirect_uri" {
+  description = "Google OAuth redirect URI"
+  type        = string
+}
diff --git a/packages/api/.env.example b/packages/api/.env.example
index 914204a..8d54680 100644
--- a/packages/api/.env.example
+++ b/packages/api/.env.example
@@ -2,3 +2,6 @@ DATABASE_URL=postgresql://postgres:password@localhost:5432/tabby
 PORT=3000
 CORS_ORIGIN=http://localhost:5173
 COOKIE_SECRET=change-this-to-a-long-random-secret-in-production
+GOOGLE_CLIENT_ID=your-google-client-id
+GOOGLE_CLIENT_SECRET=your-google-client-secret
+GOOGLE_REDIRECT_URI=http://localhost:3000/api/v1/auth/google/callback
diff --git a/packages/api/drizzle/0001_nice_thaddeus_ross.sql b/packages/api/drizzle/0001_nice_thaddeus_ross.sql
new file mode 100644
index 0000000..79f9c2d
--- /dev/null
+++ b/packages/api/drizzle/0001_nice_thaddeus_ross.sql
@@ -0,0 +1,28 @@
+CREATE TABLE "sessions" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"user_id" uuid NOT NULL,
+	"token_hash" varchar(100) NOT NULL,
+	"created_at" timestamp DEFAULT now() NOT NULL,
+	"expires_at" timestamp NOT NULL,
+	CONSTRAINT "sessions_token_hash_unique" UNIQUE("token_hash")
+);
+--> statement-breakpoint
+CREATE TABLE "users" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"email" varchar(255) NOT NULL,
+	"name" varchar(100) NOT NULL,
+	"avatar_url" text,
+	"google_id" varchar(100) NOT NULL,
+	"created_at" timestamp DEFAULT now() NOT NULL,
+	CONSTRAINT "users_email_unique" UNIQUE("email"),
+	CONSTRAINT "users_google_id_unique" UNIQUE("google_id")
+);
+--> statement-breakpoint
+ALTER TABLE "members" ALTER COLUMN "session_token" DROP NOT NULL;--> statement-breakpoint
+ALTER TABLE "members" ADD COLUMN "user_id" uuid;--> statement-breakpoint
+ALTER TABLE "sessions" ADD CONSTRAINT "sessions_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+CREATE UNIQUE INDEX "sessions_token_hash_idx" ON "sessions" USING btree ("token_hash");--> statement-breakpoint
+CREATE INDEX "sessions_user_id_idx" ON "sessions" USING btree ("user_id");--> statement-breakpoint
+CREATE UNIQUE INDEX "users_google_id_idx" ON "users" USING btree ("google_id");--> statement-breakpoint
+ALTER TABLE "members" ADD CONSTRAINT "members_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
+CREATE UNIQUE INDEX "members_user_group_idx" ON "members" USING btree ("user_id","group_id");
\ No newline at end of file
diff --git a/packages/api/drizzle/0002_fearless_loki.sql b/packages/api/drizzle/0002_fearless_loki.sql
new file mode 100644
index 0000000..9dcafa6
--- /dev/null
+++ b/packages/api/drizzle/0002_fearless_loki.sql
@@ -0,0 +1,6 @@
+ALTER TABLE "members" ALTER COLUMN "role" SET DATA TYPE text;--> statement-breakpoint
+ALTER TABLE "members" ALTER COLUMN "role" SET DEFAULT 'member'::text;--> statement-breakpoint
+DROP TYPE "public"."member_role";--> statement-breakpoint
+CREATE TYPE "public"."member_role" AS ENUM('owner', 'member');--> statement-breakpoint
+ALTER TABLE "members" ALTER COLUMN "role" SET DEFAULT 'member'::"public"."member_role";--> statement-breakpoint
+ALTER TABLE "members" ALTER COLUMN "role" SET DATA TYPE "public"."member_role" USING "role"::"public"."member_role";
\ No newline at end of file
diff --git a/packages/api/drizzle/meta/0001_snapshot.json b/packages/api/drizzle/meta/0001_snapshot.json
new file mode 100644
index 0000000..0f3eaff
--- /dev/null
+++ b/packages/api/drizzle/meta/0001_snapshot.json
@@ -0,0 +1,704 @@
+{
+  "id": "cd011f41-dd53-42de-9e4d-febc03ad14b5",
+  "prevId": "bc091711-d84e-4d01-9599-19e04ffb1fdd",
+  "version": "7",
+  "dialect": "postgresql",
+  "tables": {
+    "public.activity_logs": {
+      "name": "activity_logs",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "group_id": {
+          "name": "group_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "message": {
+          "name": "message",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "activity_logs_group_id_idx": {
+          "name": "activity_logs_group_id_idx",
+          "columns": [
+            {
+              "expression": "group_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "activity_logs_group_id_groups_id_fk": {
+          "name": "activity_logs_group_id_groups_id_fk",
+          "tableFrom": "activity_logs",
+          "tableTo": "groups",
+          "columnsFrom": [
+            "group_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.expense_splits": {
+      "name": "expense_splits",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "expense_id": {
+          "name": "expense_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "member_id": {
+          "name": "member_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "amount": {
+          "name": "amount",
+          "type": "numeric(10, 2)",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {
+        "expense_splits_expense_id_idx": {
+          "name": "expense_splits_expense_id_idx",
+          "columns": [
+            {
+              "expression": "expense_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "expense_splits_member_id_idx": {
+          "name": "expense_splits_member_id_idx",
+          "columns": [
+            {
+              "expression": "member_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "expense_splits_expense_id_expenses_id_fk": {
+          "name": "expense_splits_expense_id_expenses_id_fk",
+          "tableFrom": "expense_splits",
+          "tableTo": "expenses",
+          "columnsFrom": [
+            "expense_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "expense_splits_member_id_members_id_fk": {
+          "name": "expense_splits_member_id_members_id_fk",
+          "tableFrom": "expense_splits",
+          "tableTo": "members",
+          "columnsFrom": [
+            "member_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "restrict",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.expenses": {
+      "name": "expenses",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "group_id": {
+          "name": "group_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "paid_by": {
+          "name": "paid_by",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "amount": {
+          "name": "amount",
+          "type": "numeric(10, 2)",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "varchar(200)",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "split_type": {
+          "name": "split_type",
+          "type": "split_type",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "expenses_group_id_idx": {
+          "name": "expenses_group_id_idx",
+          "columns": [
+            {
+              "expression": "group_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "expenses_group_id_groups_id_fk": {
+          "name": "expenses_group_id_groups_id_fk",
+          "tableFrom": "expenses",
+          "tableTo": "groups",
+          "columnsFrom": [
+            "group_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "expenses_paid_by_members_id_fk": {
+          "name": "expenses_paid_by_members_id_fk",
+          "tableFrom": "expenses",
+          "tableTo": "members",
+          "columnsFrom": [
+            "paid_by"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "restrict",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.groups": {
+      "name": "groups",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "name": {
+          "name": "name",
+          "type": "varchar(100)",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "invite_code": {
+          "name": "invite_code",
+          "type": "varchar(20)",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {
+        "groups_invite_code_idx": {
+          "name": "groups_invite_code_idx",
+          "columns": [
+            {
+              "expression": "invite_code",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "groups_invite_code_unique": {
+          "name": "groups_invite_code_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "invite_code"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.members": {
+      "name": "members",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "group_id": {
+          "name": "group_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "display_name": {
+          "name": "display_name",
+          "type": "varchar(50)",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "member_role",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'member'"
+        },
+        "session_token": {
+          "name": "session_token",
+          "type": "varchar(100)",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "joined_at": {
+          "name": "joined_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "left_at": {
+          "name": "left_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "members_group_id_idx": {
+          "name": "members_group_id_idx",
+          "columns": [
+            {
+              "expression": "group_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "members_session_token_idx": {
+          "name": "members_session_token_idx",
+          "columns": [
+            {
+              "expression": "session_token",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "members_user_group_idx": {
+          "name": "members_user_group_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "group_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "members_group_id_groups_id_fk": {
+          "name": "members_group_id_groups_id_fk",
+          "tableFrom": "members",
+          "tableTo": "groups",
+          "columnsFrom": [
+            "group_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "members_user_id_users_id_fk": {
+          "name": "members_user_id_users_id_fk",
+          "tableFrom": "members",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.sessions": {
+      "name": "sessions",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "token_hash": {
+          "name": "token_hash",
+          "type": "varchar(100)",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {
+        "sessions_token_hash_idx": {
+          "name": "sessions_token_hash_idx",
+          "columns": [
+            {
+              "expression": "token_hash",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "sessions_user_id_idx": {
+          "name": "sessions_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "sessions_user_id_users_id_fk": {
+          "name": "sessions_user_id_users_id_fk",
+          "tableFrom": "sessions",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "sessions_token_hash_unique": {
+          "name": "sessions_token_hash_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "token_hash"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.users": {
+      "name": "users",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "email": {
+          "name": "email",
+          "type": "varchar(255)",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "varchar(100)",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "avatar_url": {
+          "name": "avatar_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "google_id": {
+          "name": "google_id",
+          "type": "varchar(100)",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "users_google_id_idx": {
+          "name": "users_google_id_idx",
+          "columns": [
+            {
+              "expression": "google_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "users_email_unique": {
+          "name": "users_email_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "email"
+          ]
+        },
+        "users_google_id_unique": {
+          "name": "users_google_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "google_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    }
+  },
+  "enums": {
+    "public.member_role": {
+      "name": "member_role",
+      "schema": "public",
+      "values": [
+        "owner",
+        "admin",
+        "member"
+      ]
+    },
+    "public.split_type": {
+      "name": "split_type",
+      "schema": "public",
+      "values": [
+        "equal",
+        "exact",
+        "percentage"
+      ]
+    }
+  },
+  "schemas": {},
+  "sequences": {},
+  "roles": {},
+  "policies": {},
+  "views": {},
+  "_meta": {
+    "columns": {},
+    "schemas": {},
+    "tables": {}
+  }
+}
\ No newline at end of file
diff --git a/packages/api/drizzle/meta/0002_snapshot.json b/packages/api/drizzle/meta/0002_snapshot.json
new file mode 100644
index 0000000..ba8ffa3
--- /dev/null
+++ b/packages/api/drizzle/meta/0002_snapshot.json
@@ -0,0 +1,703 @@
+{
+  "id": "df06dea0-ffe7-40ec-9824-a427328d6378",
+  "prevId": "cd011f41-dd53-42de-9e4d-febc03ad14b5",
+  "version": "7",
+  "dialect": "postgresql",
+  "tables": {
+    "public.activity_logs": {
+      "name": "activity_logs",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "group_id": {
+          "name": "group_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "message": {
+          "name": "message",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "activity_logs_group_id_idx": {
+          "name": "activity_logs_group_id_idx",
+          "columns": [
+            {
+              "expression": "group_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "activity_logs_group_id_groups_id_fk": {
+          "name": "activity_logs_group_id_groups_id_fk",
+          "tableFrom": "activity_logs",
+          "tableTo": "groups",
+          "columnsFrom": [
+            "group_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.expense_splits": {
+      "name": "expense_splits",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "expense_id": {
+          "name": "expense_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "member_id": {
+          "name": "member_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "amount": {
+          "name": "amount",
+          "type": "numeric(10, 2)",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {
+        "expense_splits_expense_id_idx": {
+          "name": "expense_splits_expense_id_idx",
+          "columns": [
+            {
+              "expression": "expense_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "expense_splits_member_id_idx": {
+          "name": "expense_splits_member_id_idx",
+          "columns": [
+            {
+              "expression": "member_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "expense_splits_expense_id_expenses_id_fk": {
+          "name": "expense_splits_expense_id_expenses_id_fk",
+          "tableFrom": "expense_splits",
+          "tableTo": "expenses",
+          "columnsFrom": [
+            "expense_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "expense_splits_member_id_members_id_fk": {
+          "name": "expense_splits_member_id_members_id_fk",
+          "tableFrom": "expense_splits",
+          "tableTo": "members",
+          "columnsFrom": [
+            "member_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "restrict",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.expenses": {
+      "name": "expenses",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "group_id": {
+          "name": "group_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "paid_by": {
+          "name": "paid_by",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "amount": {
+          "name": "amount",
+          "type": "numeric(10, 2)",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "description": {
+          "name": "description",
+          "type": "varchar(200)",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "split_type": {
+          "name": "split_type",
+          "type": "split_type",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "expenses_group_id_idx": {
+          "name": "expenses_group_id_idx",
+          "columns": [
+            {
+              "expression": "group_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "expenses_group_id_groups_id_fk": {
+          "name": "expenses_group_id_groups_id_fk",
+          "tableFrom": "expenses",
+          "tableTo": "groups",
+          "columnsFrom": [
+            "group_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "expenses_paid_by_members_id_fk": {
+          "name": "expenses_paid_by_members_id_fk",
+          "tableFrom": "expenses",
+          "tableTo": "members",
+          "columnsFrom": [
+            "paid_by"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "restrict",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.groups": {
+      "name": "groups",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "name": {
+          "name": "name",
+          "type": "varchar(100)",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "invite_code": {
+          "name": "invite_code",
+          "type": "varchar(20)",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {
+        "groups_invite_code_idx": {
+          "name": "groups_invite_code_idx",
+          "columns": [
+            {
+              "expression": "invite_code",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "groups_invite_code_unique": {
+          "name": "groups_invite_code_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "invite_code"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.members": {
+      "name": "members",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "group_id": {
+          "name": "group_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "display_name": {
+          "name": "display_name",
+          "type": "varchar(50)",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "role": {
+          "name": "role",
+          "type": "member_role",
+          "typeSchema": "public",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "'member'"
+        },
+        "session_token": {
+          "name": "session_token",
+          "type": "varchar(100)",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "joined_at": {
+          "name": "joined_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "left_at": {
+          "name": "left_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": false
+        }
+      },
+      "indexes": {
+        "members_group_id_idx": {
+          "name": "members_group_id_idx",
+          "columns": [
+            {
+              "expression": "group_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "members_session_token_idx": {
+          "name": "members_session_token_idx",
+          "columns": [
+            {
+              "expression": "session_token",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "members_user_group_idx": {
+          "name": "members_user_group_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "group_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "members_group_id_groups_id_fk": {
+          "name": "members_group_id_groups_id_fk",
+          "tableFrom": "members",
+          "tableTo": "groups",
+          "columnsFrom": [
+            "group_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "members_user_id_users_id_fk": {
+          "name": "members_user_id_users_id_fk",
+          "tableFrom": "members",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "no action",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.sessions": {
+      "name": "sessions",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "uuid",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "token_hash": {
+          "name": "token_hash",
+          "type": "varchar(100)",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true
+        }
+      },
+      "indexes": {
+        "sessions_token_hash_idx": {
+          "name": "sessions_token_hash_idx",
+          "columns": [
+            {
+              "expression": "token_hash",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        },
+        "sessions_user_id_idx": {
+          "name": "sessions_user_id_idx",
+          "columns": [
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": false,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {
+        "sessions_user_id_users_id_fk": {
+          "name": "sessions_user_id_users_id_fk",
+          "tableFrom": "sessions",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "sessions_token_hash_unique": {
+          "name": "sessions_token_hash_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "token_hash"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    },
+    "public.users": {
+      "name": "users",
+      "schema": "",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "uuid",
+          "primaryKey": true,
+          "notNull": true,
+          "default": "gen_random_uuid()"
+        },
+        "email": {
+          "name": "email",
+          "type": "varchar(255)",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "name": {
+          "name": "name",
+          "type": "varchar(100)",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "avatar_url": {
+          "name": "avatar_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false
+        },
+        "google_id": {
+          "name": "google_id",
+          "type": "varchar(100)",
+          "primaryKey": false,
+          "notNull": true
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "timestamp",
+          "primaryKey": false,
+          "notNull": true,
+          "default": "now()"
+        }
+      },
+      "indexes": {
+        "users_google_id_idx": {
+          "name": "users_google_id_idx",
+          "columns": [
+            {
+              "expression": "google_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {
+        "users_email_unique": {
+          "name": "users_email_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "email"
+          ]
+        },
+        "users_google_id_unique": {
+          "name": "users_google_id_unique",
+          "nullsNotDistinct": false,
+          "columns": [
+            "google_id"
+          ]
+        }
+      },
+      "policies": {},
+      "checkConstraints": {},
+      "isRLSEnabled": false
+    }
+  },
+  "enums": {
+    "public.member_role": {
+      "name": "member_role",
+      "schema": "public",
+      "values": [
+        "owner",
+        "member"
+      ]
+    },
+    "public.split_type": {
+      "name": "split_type",
+      "schema": "public",
+      "values": [
+        "equal",
+        "exact",
+        "percentage"
+      ]
+    }
+  },
+  "schemas": {},
+  "sequences": {},
+  "roles": {},
+  "policies": {},
+  "views": {},
+  "_meta": {
+    "columns": {},
+    "schemas": {},
+    "tables": {}
+  }
+}
\ No newline at end of file
diff --git a/packages/api/drizzle/meta/_journal.json b/packages/api/drizzle/meta/_journal.json
index de8b6e9..025719e 100644
--- a/packages/api/drizzle/meta/_journal.json
+++ b/packages/api/drizzle/meta/_journal.json
@@ -8,6 +8,20 @@
       "when": 1774247628341,
       "tag": "0000_clumsy_bastion",
       "breakpoints": true
+    },
+    {
+      "idx": 1,
+      "version": "7",
+      "when": 1776017091671,
+      "tag": "0001_nice_thaddeus_ross",
+      "breakpoints": true
+    },
+    {
+      "idx": 2,
+      "version": "7",
+      "when": 1776262582036,
+      "tag": "0002_fearless_loki",
+      "breakpoints": true
     }
   ]
 }
\ No newline at end of file
diff --git a/packages/api/src/app.ts b/packages/api/src/app.ts
index 767968d..ddd88b8 100644
--- a/packages/api/src/app.ts
+++ b/packages/api/src/app.ts
@@ -9,6 +9,8 @@ import { groupRoutes } from './routes/groups.js';
 import { memberRoutes } from './routes/members.js';
 import { expenseRoutes } from './routes/expenses.js';
 import { balanceRoutes } from './routes/balances.js';
+import { authRoutes } from './routes/auth.js';
+import { userRoutes } from './routes/user.js';
 
 export async function buildApp() {
   const fastify = Fastify({
@@ -54,6 +56,8 @@ export async function buildApp() {
 
   await fastify.register(sessionPlugin);
 
+  await fastify.register(authRoutes);
+  await fastify.register(userRoutes);
   await fastify.register(groupRoutes);
   await fastify.register(memberRoutes);
   await fastify.register(expenseRoutes);
diff --git a/packages/api/src/db/schema.ts b/packages/api/src/db/schema.ts
index 4b988f7..742c6f6 100644
--- a/packages/api/src/db/schema.ts
+++ b/packages/api/src/db/schema.ts
@@ -10,9 +10,41 @@ import {
   uniqueIndex,
 } from 'drizzle-orm/pg-core';
 
-export const memberRoleEnum = pgEnum('member_role', ['owner', 'admin', 'member']);
+export const memberRoleEnum = pgEnum('member_role', ['owner', 'member']);
 export const splitTypeEnum = pgEnum('split_type', ['equal', 'exact', 'percentage']);
 
+export const users = pgTable(
+  'users',
+  {
+    id: uuid('id').primaryKey().defaultRandom(),
+    email: varchar('email', { length: 255 }).notNull().unique(),
+    name: varchar('name', { length: 100 }).notNull(),
+    avatarUrl: text('avatar_url'),
+    googleId: varchar('google_id', { length: 100 }).notNull().unique(),
+    createdAt: timestamp('created_at').notNull().defaultNow(),
+  },
+  (t) => ({
+    googleIdIdx: uniqueIndex('users_google_id_idx').on(t.googleId),
+  }),
+);
+
+export const sessions = pgTable(
+  'sessions',
+  {
+    id: uuid('id').primaryKey().defaultRandom(),
+    userId: uuid('user_id')
+      .notNull()
+      .references(() => users.id, { onDelete: 'cascade' }),
+    tokenHash: varchar('token_hash', { length: 100 }).notNull().unique(),
+    createdAt: timestamp('created_at').notNull().defaultNow(),
+    expiresAt: timestamp('expires_at').notNull(),
+  },
+  (t) => ({
+    tokenHashIdx: uniqueIndex('sessions_token_hash_idx').on(t.tokenHash),
+    userIdIdx: index('sessions_user_id_idx').on(t.userId),
+  }),
+);
+
 export const groups = pgTable(
   'groups',
   {
@@ -34,15 +66,17 @@ export const members = pgTable(
     groupId: uuid('group_id')
       .notNull()
       .references(() => groups.id, { onDelete: 'cascade' }),
+    userId: uuid('user_id').references(() => users.id),
     displayName: varchar('display_name', { length: 50 }).notNull(),
     role: memberRoleEnum('role').notNull().default('member'),
-    sessionToken: varchar('session_token', { length: 100 }).notNull(),
+    sessionToken: varchar('session_token', { length: 100 }),
     joinedAt: timestamp('joined_at').notNull().defaultNow(),
     leftAt: timestamp('left_at'),
   },
   (t) => ({
     groupIdIdx: index('members_group_id_idx').on(t.groupId),
     sessionTokenIdx: uniqueIndex('members_session_token_idx').on(t.sessionToken),
+    userGroupIdx: uniqueIndex('members_user_group_idx').on(t.userId, t.groupId),
   }),
 );
 
@@ -103,6 +137,8 @@ export const activityLog = pgTable(
   }),
 );
 
+export type User = typeof users.$inferSelect;
+export type Session = typeof sessions.$inferSelect;
 export type Group = typeof groups.$inferSelect;
 export type Member = typeof members.$inferSelect;
 export type Expense = typeof expenses.$inferSelect;
diff --git a/packages/api/src/plugins/session.ts b/packages/api/src/plugins/session.ts
index fc93902..e8ed58a 100644
--- a/packages/api/src/plugins/session.ts
+++ b/packages/api/src/plugins/session.ts
@@ -1,13 +1,14 @@
 import { FastifyInstance, FastifyReply, FastifyRequest } from 'fastify';
 import fp from 'fastify-plugin';
 import { createHash } from 'crypto';
-import { db, members } from '../db/index.js';
-import type { Member } from '../db/schema.js';
+import { db, members, sessions, users } from '../db/index.js';
+import type { Member, User } from '../db/schema.js';
 import { eq, isNull, and } from 'drizzle-orm';
 import { ensureOwnerExists } from '../services/ownership.js';
 
 declare module 'fastify' {
   interface FastifyRequest {
+    user: User | null;
     member: Member | null;
   }
 }
@@ -19,6 +20,7 @@ function hashToken(token: string): string {
 export const SESSION_COOKIE = 'session_token';
 
 async function sessionPlugin(fastify: FastifyInstance) {
+  fastify.decorateRequest('user', null);
   fastify.decorateRequest('member', null);
 
   fastify.addHook('preHandler', async (request: FastifyRequest) => {
@@ -26,6 +28,25 @@ async function sessionPlugin(fastify: FastifyInstance) {
     if (!token) return;
 
     const hashed = hashToken(token);
+
+    // New path: look up in sessions table → resolve user
+    const [session] = await db
+      .select()
+      .from(sessions)
+      .where(eq(sessions.tokenHash, hashed));
+
+    if (session && session.expiresAt > new Date()) {
+      const [user] = await db
+        .select()
+        .from(users)
+        .where(eq(users.id, session.userId));
+      if (user) {
+        request.user = user;
+        return;
+      }
+    }
+
+    // Legacy fallback: look up in members table directly
     const [member] = await db
       .select()
       .from(members)
@@ -34,26 +55,37 @@ async function sessionPlugin(fastify: FastifyInstance) {
   });
 }
 
+/**
+ * For group-scoped routes, resolve request.member from request.user + groupId.
+ * Call this after requireSession in preHandler hooks for group routes.
+ */
+export async function resolveGroupMember(request: FastifyRequest, _reply: FastifyReply) {
+  // If member is already set (legacy path), skip
+  if (request.member) return;
+
+  if (!request.user) return;
+
+  const { id } = request.params as { id: string };
+  if (!id) return;
+
+  const [member] = await db
+    .select()
+    .from(members)
+    .where(and(eq(members.userId, request.user.id), eq(members.groupId, id), isNull(members.leftAt)));
+  request.member = member ?? null;
+}
+
 export async function requireSession(request: FastifyRequest, reply: FastifyReply) {
-  if (!request.member) {
+  if (!request.user && !request.member) {
     await reply.status(401).send({ error: 'Authentication required' });
     return;
   }
 }
 
 export async function requireGroupMember(request: FastifyRequest, reply: FastifyReply) {
-  if (!request.member) {
-    await reply.status(401).send({ error: 'Authentication required' });
-    return;
-  }
-  const { id } = request.params as { id: string };
-  if (request.member.groupId !== id) {
-    await reply.status(403).send({ error: 'Forbidden' });
-    return;
-  }
-}
+  // First resolve member from user if needed
+  await resolveGroupMember(request, reply);
 
-export async function requireAdmin(request: FastifyRequest, reply: FastifyReply) {
   if (!request.member) {
     await reply.status(401).send({ error: 'Authentication required' });
     return;
@@ -63,13 +95,12 @@ export async function requireAdmin(request: FastifyRequest, reply: FastifyReply)
     await reply.status(403).send({ error: 'Forbidden' });
     return;
   }
-  if (request.member.role !== 'admin' && request.member.role !== 'owner') {
-    await reply.status(403).send({ error: 'Admin access required' });
-    return;
-  }
 }
 
+
 export async function requireOwner(request: FastifyRequest, reply: FastifyReply) {
+  await resolveGroupMember(request, reply);
+
   if (!request.member) {
     await reply.status(401).send({ error: 'Authentication required' });
     return;
@@ -80,9 +111,6 @@ export async function requireOwner(request: FastifyRequest, reply: FastifyReply)
     return;
   }
   if (request.member.role !== 'owner') {
-    // Lazy ownership recovery: if the group has no active owner (e.g. the
-    // original owner lost their session), promote the first admin or earliest
-    // member and re-check whether this requester was promoted.
     await ensureOwnerExists(id);
     const [refreshed] = await db
       .select()
diff --git a/packages/api/src/routes/auth.ts b/packages/api/src/routes/auth.ts
new file mode 100644
index 0000000..a58fc91
--- /dev/null
+++ b/packages/api/src/routes/auth.ts
@@ -0,0 +1,257 @@
+import { FastifyInstance } from 'fastify';
+import { randomBytes, createHash } from 'crypto';
+import { db, users, sessions, members } from '../db/index.js';
+import { eq, and, isNull } from 'drizzle-orm';
+import { SESSION_COOKIE } from '../plugins/session.js';
+
+function hashToken(token: string): string {
+  return createHash('sha256').update(token).digest('hex');
+}
+
+const GOOGLE_TOKEN_URL = 'https://oauth2.googleapis.com/token';
+const GOOGLE_USERINFO_URL = 'https://www.googleapis.com/oauth2/v2/userinfo';
+
+function getGoogleRedirectUri(): string {
+  return process.env['GOOGLE_REDIRECT_URI'] ?? 'http://localhost:3000/api/v1/auth/google/callback';
+}
+
+export async function authRoutes(fastify: FastifyInstance) {
+  // Redirect to Google consent screen
+  fastify.get('/api/v1/auth/google', async (request, reply) => {
+    const { redirect } = request.query as { redirect?: string };
+    const state = randomBytes(16).toString('base64url');
+
+    // Store state + redirect target in a short-lived cookie for CSRF validation
+    reply.setCookie('oauth_state', JSON.stringify({ state, redirect: redirect ?? '/' }), {
+      httpOnly: true,
+      path: '/',
+      sameSite: process.env['NODE_ENV'] === 'prod' ? 'none' : 'lax',
+      secure: process.env['NODE_ENV'] === 'prod',
+      maxAge: 600, // 10 minutes
+    });
+
+    const params = new URLSearchParams({
+      client_id: process.env['GOOGLE_CLIENT_ID'] ?? '',
+      redirect_uri: getGoogleRedirectUri(),
+      response_type: 'code',
+      scope: 'openid email profile',
+      state,
+      access_type: 'online',
+      prompt: 'select_account',
+    });
+
+    return reply.redirect(`https://accounts.google.com/o/oauth2/v2/auth?${params}`);
+  });
+
+  // Google OAuth callback
+  fastify.get('/api/v1/auth/google/callback', async (request, reply) => {
+    const { code, state } = request.query as { code?: string; state?: string };
+
+    if (!code || !state) {
+      return reply.status(400).send({ error: 'Missing code or state' });
+    }
+
+    // Validate CSRF state
+    const oauthCookie = request.cookies['oauth_state'];
+    if (!oauthCookie) {
+      return reply.status(400).send({ error: 'Missing OAuth state cookie' });
+    }
+
+    let storedState: { state: string; redirect: string };
+    try {
+      storedState = JSON.parse(oauthCookie);
+    } catch {
+      return reply.status(400).send({ error: 'Invalid OAuth state cookie' });
+    }
+
+    if (storedState.state !== state) {
+      return reply.status(400).send({ error: 'State mismatch' });
+    }
+
+    // Clear the oauth state cookie
+    reply.clearCookie('oauth_state', { path: '/' });
+
+    // Exchange code for tokens
+    const tokenRes = await fetch(GOOGLE_TOKEN_URL, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: new URLSearchParams({
+        code,
+        client_id: process.env['GOOGLE_CLIENT_ID'] ?? '',
+        client_secret: process.env['GOOGLE_CLIENT_SECRET'] ?? '',
+        redirect_uri: getGoogleRedirectUri(),
+        grant_type: 'authorization_code',
+      }),
+    });
+
+    if (!tokenRes.ok) {
+      return reply.status(400).send({ error: 'Failed to exchange code for tokens' });
+    }
+
+    const tokens = (await tokenRes.json()) as { access_token: string };
+
+    // Fetch user profile
+    const profileRes = await fetch(GOOGLE_USERINFO_URL, {
+      headers: { Authorization: `Bearer ${tokens.access_token}` },
+    });
+
+    if (!profileRes.ok) {
+      return reply.status(400).send({ error: 'Failed to fetch user profile' });
+    }
+
+    const profile = (await profileRes.json()) as {
+      id: string;
+      email: string;
+      name: string;
+      picture?: string;
+    };
+
+    // Upsert user
+    const [user] = await db
+      .insert(users)
+      .values({
+        email: profile.email,
+        name: profile.name,
+        avatarUrl: profile.picture ?? null,
+        googleId: profile.id,
+      })
+      .onConflictDoUpdate({
+        target: users.googleId,
+        set: {
+          name: profile.name,
+          avatarUrl: profile.picture ?? null,
+          email: profile.email,
+        },
+      })
+      .returning();
+
+    if (!user) {
+      return reply.status(500).send({ error: 'Failed to create user' });
+    }
+
+    // Merge any guest member records from the current browser session
+    const guestToken = request.cookies[SESSION_COOKIE];
+    if (guestToken) {
+      const guestHash = hashToken(guestToken);
+      const guestMembers = await db
+        .select()
+        .from(members)
+        .where(and(eq(members.sessionToken, guestHash), isNull(members.leftAt)));
+
+      for (const guestMember of guestMembers) {
+        // Check if this Google user is already a member of this group
+        const [existing] = await db
+          .select()
+          .from(members)
+          .where(and(eq(members.userId, user.id), eq(members.groupId, guestMember.groupId), isNull(members.leftAt)));
+
+        if (existing) {
+          // Drop the guest record — the authenticated member takes precedence
+          await db.update(members).set({ leftAt: new Date() }).where(eq(members.id, guestMember.id));
+        } else {
+          // Link the guest member record to the Google account
+          await db.update(members).set({ userId: user.id, sessionToken: null }).where(eq(members.id, guestMember.id));
+        }
+      }
+    }
+
+    // Create session
+    const sessionToken = randomBytes(32).toString('base64url');
+    const tokenHash = hashToken(sessionToken);
+    const expiresAt = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000); // 30 days
+
+    await db.insert(sessions).values({
+      userId: user.id,
+      tokenHash,
+      expiresAt,
+    });
+
+    // Set session cookie
+    reply.setCookie(SESSION_COOKIE, sessionToken, {
+      httpOnly: true,
+      path: '/',
+      sameSite: process.env['NODE_ENV'] === 'prod' ? 'none' : 'lax',
+      secure: process.env['NODE_ENV'] === 'prod',
+      maxAge: 60 * 60 * 24 * 30, // 30 days
+    });
+
+    // Redirect to the original page
+    const frontendOrigin = process.env['CORS_ORIGIN'] ?? 'http://localhost:5173';
+    return reply.redirect(`${frontendOrigin}${storedState.redirect}`);
+  });
+
+  // Get current user
+  fastify.get('/api/v1/auth/me', async (request, reply) => {
+    if (!request.user) {
+      return reply.status(401).send({ error: 'Not authenticated' });
+    }
+    return {
+      id: request.user.id,
+      email: request.user.email,
+      name: request.user.name,
+      avatarUrl: request.user.avatarUrl,
+    };
+  });
+
+  // Test-only login bypass (dev/test environments only)
+  if (process.env['NODE_ENV'] !== 'prod') {
+    fastify.post('/api/v1/auth/test-login', async (request, reply) => {
+      const { name, email } = request.body as { name?: string; email?: string };
+      const testEmail = email ?? `test-${randomBytes(4).toString('hex')}@test.local`;
+      const testName = name ?? 'Test User';
+      const testGoogleId = `test-${createHash('sha256').update(testEmail).digest('hex').slice(0, 20)}`;
+
+      // Upsert test user
+      const [user] = await db
+        .insert(users)
+        .values({
+          email: testEmail,
+          name: testName,
+          avatarUrl: null,
+          googleId: testGoogleId,
+        })
+        .onConflictDoUpdate({
+          target: users.googleId,
+          set: { name: testName, email: testEmail },
+        })
+        .returning();
+
+      if (!user) {
+        return reply.status(500).send({ error: 'Failed to create test user' });
+      }
+
+      // Create session
+      const sessionToken = randomBytes(32).toString('base64url');
+      const tokenHash = hashToken(sessionToken);
+      const expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000); // 1 day
+
+      await db.insert(sessions).values({
+        userId: user.id,
+        tokenHash,
+        expiresAt,
+      });
+
+      reply.setCookie(SESSION_COOKIE, sessionToken, {
+        httpOnly: true,
+        path: '/',
+        sameSite: 'lax',
+        secure: false,
+        maxAge: 60 * 60 * 24,
+      });
+
+      return { id: user.id, email: user.email, name: user.name };
+    });
+  }
+
+  // Logout
+  fastify.post('/api/v1/auth/logout', async (request, reply) => {
+    const token = request.cookies[SESSION_COOKIE];
+    if (token) {
+      const tokenHash = hashToken(token);
+      await db.delete(sessions).where(eq(sessions.tokenHash, tokenHash));
+    }
+
+    reply.clearCookie(SESSION_COOKIE, { path: '/' });
+    return reply.status(204).send();
+  });
+}
diff --git a/packages/api/src/routes/expenses.ts b/packages/api/src/routes/expenses.ts
index 09ac77b..a8e0f6e 100644
--- a/packages/api/src/routes/expenses.ts
+++ b/packages/api/src/routes/expenses.ts
@@ -168,7 +168,7 @@ export async function expenseRoutes(fastify: FastifyInstance) {
           },
         },
         tags: ['expenses'],
-        summary: 'Edit an expense (owner of expense or admin)',
+        summary: 'Edit an expense (owner of expense or group owner)',
       },
       preHandler: [requireSession, requireGroupMember],
     },
@@ -183,7 +183,7 @@ export async function expenseRoutes(fastify: FastifyInstance) {
 
       if (!expense) return reply.status(404).send({ error: 'Expense not found' });
 
-      const isOwnerOrAdmin = member.role === 'owner' || member.role === 'admin';
+      const isOwnerOrAdmin = member.role === 'owner';
       if (expense.paidBy !== member.id && !isOwnerOrAdmin) {
         return reply.status(403).send({ error: "Cannot edit another member's expense" });
       }
@@ -294,7 +294,7 @@ export async function expenseRoutes(fastify: FastifyInstance) {
           },
         },
         tags: ['expenses'],
-        summary: 'Delete an expense (owner of expense or admin)',
+        summary: 'Delete an expense (owner of expense or group owner)',
       },
       preHandler: [requireSession, requireGroupMember],
     },
@@ -309,7 +309,7 @@ export async function expenseRoutes(fastify: FastifyInstance) {
 
       if (!expense) return reply.status(404).send({ error: 'Expense not found' });
 
-      const isOwnerOrAdmin = member.role === 'owner' || member.role === 'admin';
+      const isOwnerOrAdmin = member.role === 'owner';
       if (expense.paidBy !== member.id && !isOwnerOrAdmin) {
         return reply.status(403).send({ error: "Cannot delete another member's expense" });
       }
diff --git a/packages/api/src/routes/groups.ts b/packages/api/src/routes/groups.ts
index 1f52abb..0c96e51 100644
--- a/packages/api/src/routes/groups.ts
+++ b/packages/api/src/routes/groups.ts
@@ -3,11 +3,11 @@ import { randomBytes, randomUUID } from 'crypto';
 import { db, groups, members, activityLog } from '../db/index.js';
 import { eq, desc, and, isNull, count } from 'drizzle-orm';
 import {
-  SESSION_COOKIE,
-  hashToken,
   requireSession,
   requireGroupMember,
   requireOwner,
+  hashToken,
+  SESSION_COOKIE,
 } from '../plugins/session.js';
 import { groupExpiresAt } from '../lib/time.js';
 
@@ -15,10 +15,6 @@ function generateInviteCode(): string {
   return randomBytes(6).toString('base64url');
 }
 
-function generateSessionToken(): string {
-  return randomBytes(32).toString('base64url');
-}
-
 export async function groupRoutes(fastify: FastifyInstance) {
   fastify.post(
     '/api/v1/groups',
@@ -26,7 +22,7 @@ export async function groupRoutes(fastify: FastifyInstance) {
       schema: {
         body: {
           type: 'object',
-          required: ['name', 'displayName'],
+          required: ['name'],
           properties: {
             name: { type: 'string', minLength: 1, maxLength: 100 },
             displayName: { type: 'string', minLength: 1, maxLength: 50 },
@@ -37,29 +33,43 @@ export async function groupRoutes(fastify: FastifyInstance) {
       },
     },
     async (request, reply) => {
-      const { name, displayName } = request.body as { name: string; displayName: string };
+      const { name, displayName } = request.body as { name: string; displayName?: string };
 
       const inviteCode = generateInviteCode();
-      const sessionToken = generateSessionToken();
-      const hashedToken = hashToken(sessionToken);
-
       const groupId = randomUUID();
+
+      if (request.user) {
+        // Authenticated path
+        const memberName = displayName ?? request.user.name;
+        const [groupRows, memberRows] = await db.batch([
+          db.insert(groups).values({ id: groupId, name, inviteCode, expiresAt: groupExpiresAt() }).returning(),
+          db.insert(members).values({ groupId, userId: request.user.id, displayName: memberName, role: 'owner' }).returning(),
+        ]);
+        return reply.status(201).send({ group: groupRows[0]!, member: memberRows[0]! });
+      }
+
+      // Guest path
+      if (!displayName?.trim()) {
+        return reply.status(400).send({ error: 'Display name is required' });
+      }
+
+      const sessionToken = randomBytes(32).toString('base64url');
+      const tokenHash = hashToken(sessionToken);
+
       const [groupRows, memberRows] = await db.batch([
         db.insert(groups).values({ id: groupId, name, inviteCode, expiresAt: groupExpiresAt() }).returning(),
-        db.insert(members).values({ groupId, displayName, role: 'owner', sessionToken: hashedToken }).returning(),
+        db.insert(members).values({ groupId, displayName: displayName.trim(), sessionToken: tokenHash, role: 'owner' }).returning(),
       ]);
-      const group = groupRows[0]!;
-      const member = memberRows[0]!;
 
       reply.setCookie(SESSION_COOKIE, sessionToken, {
         httpOnly: true,
         path: '/',
         sameSite: process.env['NODE_ENV'] === 'prod' ? 'none' : 'lax',
         secure: process.env['NODE_ENV'] === 'prod',
-        maxAge: 60 * 60 * 24 * 365,
+        maxAge: 60 * 60 * 24 * 30,
       });
 
-      return reply.status(201).send({ group, member });
+      return reply.status(201).send({ group: groupRows[0]!, member: memberRows[0]! });
     },
   );
 
diff --git a/packages/api/src/routes/members.ts b/packages/api/src/routes/members.ts
index a5a5dbf..14bcd6c 100644
--- a/packages/api/src/routes/members.ts
+++ b/packages/api/src/routes/members.ts
@@ -3,15 +3,12 @@ import { randomBytes } from 'crypto';
 import { db, groups, members, activityLog } from '../db/index.js';
 import { eq, isNull, and, asc, count } from 'drizzle-orm';
 import {
-  SESSION_COOKIE,
-  hashToken,
   requireSession,
   requireGroupMember,
-  requireAdmin,
+  requireOwner,
+  hashToken,
+  SESSION_COOKIE,
 } from '../plugins/session.js';
-function generateSessionToken(): string {
-  return randomBytes(32).toString('base64url');
-}
 
 export async function memberRoutes(fastify: FastifyInstance) {
   fastify.post(
@@ -26,18 +23,18 @@ export async function memberRoutes(fastify: FastifyInstance) {
         },
         body: {
           type: 'object',
-          required: ['displayName'],
           properties: {
             displayName: { type: 'string', minLength: 1, maxLength: 50 },
           },
         },
         tags: ['members'],
-        summary: 'Join a group by invite code',
+        summary: 'Join a group by invite code (authenticated or guest)',
       },
+      // No requireSession — guests can join without logging in
     },
     async (request, reply) => {
       const { inviteCode } = request.params as { inviteCode: string };
-      const { displayName } = request.body as { displayName: string };
+      const { displayName } = request.body as { displayName?: string };
 
       const [group] = await db
         .select()
@@ -60,28 +57,57 @@ export async function memberRoutes(fastify: FastifyInstance) {
         return reply.status(409).send({ error: 'Group is full (max 50 members)' });
       }
 
-      const sessionToken = generateSessionToken();
-      const hashedToken = hashToken(sessionToken);
-
-      const [member] = await db
-        .insert(members)
-        .values({
-          groupId: group.id,
-          displayName,
-          role: 'member',
-          sessionToken: hashedToken,
-        })
-        .returning();
-
-      reply.setCookie(SESSION_COOKIE, sessionToken, {
-        httpOnly: true,
-        path: '/',
-        sameSite: process.env['NODE_ENV'] === 'prod' ? 'none' : 'lax',
-        secure: process.env['NODE_ENV'] === 'prod',
-        maxAge: 60 * 60 * 24 * 365,
-      });
-
-      return reply.status(201).send({ group, member });
+      if (request.user) {
+        // Authenticated path — tie member to user account
+        const [existing] = await db
+          .select()
+          .from(members)
+          .where(and(eq(members.userId, request.user.id), eq(members.groupId, group.id), isNull(members.leftAt)));
+
+        if (existing) {
+          return reply.status(200).send({ group, member: existing });
+        }
+
+        const [member] = await db
+          .insert(members)
+          .values({
+            groupId: group.id,
+            userId: request.user.id,
+            displayName: displayName ?? request.user.name,
+            role: 'member',
+          })
+          .returning();
+
+        return reply.status(201).send({ group, member });
+      } else {
+        // Guest path — create anonymous member with session token
+        if (!displayName?.trim()) {
+          return reply.status(400).send({ error: 'Display name is required for guest join' });
+        }
+
+        const sessionToken = randomBytes(32).toString('base64url');
+        const tokenHash = hashToken(sessionToken);
+
+        const [member] = await db
+          .insert(members)
+          .values({
+            groupId: group.id,
+            displayName: displayName.trim(),
+            sessionToken: tokenHash,
+            role: 'member',
+          })
+          .returning();
+
+        reply.setCookie(SESSION_COOKIE, sessionToken, {
+          httpOnly: true,
+          path: '/',
+          sameSite: process.env['NODE_ENV'] === 'prod' ? 'none' : 'lax',
+          secure: process.env['NODE_ENV'] === 'prod',
+          maxAge: 60 * 60 * 24 * 30, // 30 days
+        });
+
+        return reply.status(201).send({ group, member });
+      }
     },
   );
 
@@ -106,6 +132,7 @@ export async function memberRoutes(fastify: FastifyInstance) {
         .select({
           id: members.id,
           groupId: members.groupId,
+          userId: members.userId,
           displayName: members.displayName,
           role: members.role,
           joinedAt: members.joinedAt,
@@ -119,6 +146,37 @@ export async function memberRoutes(fastify: FastifyInstance) {
     },
   );
 
+  // Get the current authenticated user's member record for this group
+  fastify.get(
+    '/api/v1/groups/:id/me',
+    {
+      schema: {
+        params: {
+          type: 'object',
+          required: ['id'],
+          properties: { id: { type: 'string' } },
+        },
+        tags: ['members'],
+        summary: 'Get current member in group',
+      },
+      preHandler: [requireSession, requireGroupMember],
+    },
+    async (request, reply) => {
+      if (!request.member) {
+        return reply.status(401).send({ error: 'Not a member of this group' });
+      }
+      return reply.send({
+        id: request.member.id,
+        groupId: request.member.groupId,
+        userId: request.member.userId,
+        displayName: request.member.displayName,
+        role: request.member.role,
+        joinedAt: request.member.joinedAt,
+        leftAt: request.member.leftAt,
+      });
+    },
+  );
+
   fastify.delete(
     '/api/v1/groups/:id/members/:memberId',
     {
@@ -134,7 +192,7 @@ export async function memberRoutes(fastify: FastifyInstance) {
         tags: ['members'],
         summary: 'Remove a member (admin+ only)',
       },
-      preHandler: [requireSession, requireGroupMember, requireAdmin],
+      preHandler: [requireSession, requireGroupMember, requireOwner],
     },
     async (request, reply) => {
       const { id, memberId } = request.params as { id: string; memberId: string };
diff --git a/packages/api/src/routes/user.ts b/packages/api/src/routes/user.ts
new file mode 100644
index 0000000..68bc014
--- /dev/null
+++ b/packages/api/src/routes/user.ts
@@ -0,0 +1,77 @@
+import { FastifyInstance } from 'fastify';
+import { db, groups, members } from '../db/index.js';
+import { eq, isNull, and, count } from 'drizzle-orm';
+import { requireSession } from '../plugins/session.js';
+
+export async function userRoutes(fastify: FastifyInstance) {
+  // Get all groups the authenticated user belongs to
+  fastify.get(
+    '/api/v1/me/groups',
+    {
+      schema: {
+        tags: ['user'],
+        summary: 'List groups for the current user',
+      },
+      preHandler: [requireSession],
+    },
+    async (request, reply) => {
+      let userMembers: { memberId: string; groupId: string; role: string; displayName: string }[];
+
+      if (request.user) {
+        // Authenticated path — all groups linked to this Google account
+        userMembers = await db
+          .select({
+            memberId: members.id,
+            groupId: members.groupId,
+            role: members.role,
+            displayName: members.displayName,
+          })
+          .from(members)
+          .where(and(eq(members.userId, request.user.id), isNull(members.leftAt)));
+      } else if (request.member) {
+        // Guest path — single group tied to the session token
+        userMembers = [{
+          memberId: request.member.id,
+          groupId: request.member.groupId,
+          role: request.member.role,
+          displayName: request.member.displayName,
+        }];
+      } else {
+        return reply.status(401).send({ error: 'Authentication required' });
+      }
+
+      if (userMembers.length === 0) {
+        return reply.send([]);
+      }
+
+      // For each group, fetch details and member count
+      const result = await Promise.all(
+        userMembers.map(async (m) => {
+          const [group] = await db
+            .select({
+              id: groups.id,
+              name: groups.name,
+              inviteCode: groups.inviteCode,
+              createdAt: groups.createdAt,
+              expiresAt: groups.expiresAt,
+            })
+            .from(groups)
+            .where(eq(groups.id, m.groupId));
+
+          const [countRow] = await db
+            .select({ memberCount: count() })
+            .from(members)
+            .where(and(eq(members.groupId, m.groupId), isNull(members.leftAt)));
+
+          return {
+            group: group!,
+            memberCount: Number(countRow?.memberCount ?? 0),
+            role: m.role,
+          };
+        }),
+      );
+
+      return reply.send(result);
+    },
+  );
+}
diff --git a/packages/api/src/services/ownership.ts b/packages/api/src/services/ownership.ts
index 2388cfb..6cadb8a 100644
--- a/packages/api/src/services/ownership.ts
+++ b/packages/api/src/services/ownership.ts
@@ -10,22 +10,6 @@ export async function ensureOwnerExists(groupId: string): Promise<void> {
 
   if (owner) return;
 
-  const [admin] = await db
-    .select()
-    .from(members)
-    .where(and(eq(members.groupId, groupId), eq(members.role, 'admin'), isNull(members.leftAt)))
-    .orderBy(asc(members.joinedAt))
-    .limit(1);
-
-  if (admin) {
-    await db.update(members).set({ role: 'owner' }).where(eq(members.id, admin.id));
-    await db.insert(activityLog).values({
-      groupId,
-      message: `${admin.displayName} is now the group owner`,
-    });
-    return;
-  }
-
   const [oldest] = await db
     .select()
     .from(members)
diff --git a/packages/api/src/tests/api.test.ts b/packages/api/src/tests/api.test.ts
index 673af59..44addfa 100644
--- a/packages/api/src/tests/api.test.ts
+++ b/packages/api/src/tests/api.test.ts
@@ -1,8 +1,8 @@
 import { beforeAll, afterAll, afterEach, describe, it, expect } from 'vitest';
 import { buildApp } from '../app.js';
 import type { FastifyInstance } from 'fastify';
-import { eq } from 'drizzle-orm';
-import { db, activityLog, expenseSplits, expenses, members, groups } from '../db/index.js';
+import { eq, and } from 'drizzle-orm';
+import { db, activityLog, expenseSplits, expenses, members, groups, sessions } from '../db/index.js';
 
 let app: FastifyInstance;
 
@@ -22,9 +22,20 @@ afterEach(async () => {
   await db.delete(expenseSplits);
   await db.delete(expenses);
   await db.delete(members);
+  await db.delete(sessions);
   await db.delete(groups);
 });
 
+async function loginUser(name = 'Alice', email = 'alice@test.local') {
+  const res = await app.inject({
+    method: 'POST',
+    url: '/api/v1/auth/test-login',
+    payload: { name, email },
+  });
+  expect(res.statusCode).toBe(200);
+  return res.headers['set-cookie'] as string;
+}
+
 async function createGroup(name = 'Test Group', displayName = 'Alice') {
   const res = await app.inject({
     method: 'POST',
@@ -50,6 +61,28 @@ describe('POST /api/v1/groups', () => {
     expect(body.member.role).toBe('owner');
     expect(res.headers['set-cookie']).toBeDefined();
   });
+
+  it('requires displayName for guest creation', async () => {
+    const res = await app.inject({
+      method: 'POST',
+      url: '/api/v1/groups',
+      payload: { name: 'Trip' },
+    });
+    expect(res.statusCode).toBe(400);
+  });
+
+  it('authenticated user can create group without displayName', async () => {
+    const cookie = await loginUser('Alice', 'alice@test.local');
+    const res = await app.inject({
+      method: 'POST',
+      url: '/api/v1/groups',
+      headers: { cookie },
+      payload: { name: 'Trip' },
+    });
+    expect(res.statusCode).toBe(201);
+    const body = res.json<{ member: { displayName: string } }>();
+    expect(body.member.displayName).toBe('Alice');
+  });
 });
 
 describe('GET /api/v1/groups/invite/:inviteCode', () => {
@@ -317,7 +350,7 @@ describe('DELETE /api/v1/groups/:id/expenses/:expenseId', () => {
 });
 
 describe('DELETE /api/v1/groups/:id/members/:memberId', () => {
-  it('admin can remove member', async () => {
+  it('owner can remove member', async () => {
     const { group, cookie: aliceCookie } = await createGroup();
     const bobJoin = await app.inject({
       method: 'POST',
@@ -357,33 +390,6 @@ describe('DELETE /api/v1/groups/:id/members/:memberId', () => {
     });
     expect(res.statusCode).toBe(403);
   });
-
-  it('admin (non-owner) can remove a member', async () => {
-    const { group } = await createGroup();
-    const bobJoin = await app.inject({
-      method: 'POST',
-      url: `/api/v1/groups/invite/${group.inviteCode}/join`,
-      payload: { displayName: 'Bob' },
-    });
-    const bob = bobJoin.json<{ member: { id: string } }>().member;
-    const bobCookie = bobJoin.headers['set-cookie'] as string;
-
-    // Insert Carol directly to avoid exhausting the HTTP rate limit across the test suite
-    const [carol] = await db
-      .insert(members)
-      .values({ groupId: group.id, displayName: 'Carol', role: 'member', sessionToken: 'test-carol-token' })
-      .returning();
-
-    // Promote Bob to admin directly in the DB (no promote endpoint exists yet)
-    await db.update(members).set({ role: 'admin' }).where(eq(members.id, bob.id));
-
-    const res = await app.inject({
-      method: 'DELETE',
-      url: `/api/v1/groups/${group.id}/members/${carol!.id}`,
-      headers: { cookie: bobCookie },
-    });
-    expect(res.statusCode).toBe(204);
-  });
 });
 
 describe('Second user (joiner) authenticated access', () => {
@@ -539,3 +545,80 @@ describe('Content-Type: application/json on bodyless requests', () => {
     expect(res.statusCode).toBe(204);
   });
 });
+
+describe('Google OAuth guest session merge', () => {
+  it('links guest member records to Google account on login', async () => {
+    // Create a group as a guest — cookie holds the guest session token
+    const { group, cookie: guestCookie } = await createGroup('Merge Test', 'Alice');
+
+    // Sign in with Google while still holding the guest cookie
+    const googleCookie = await loginUser('Alice Google', 'alice-google@test.local');
+    // Simulate the callback having both cookies by injecting the guest cookie into a
+    // test-login call. The test-login endpoint doesn't run the merge, so we call the
+    // merge indirectly by re-using the existing test-login and checking the DB state.
+
+    // Instead: verify the merge by calling test-login with the guest cookie present.
+    // The test-login endpoint mirrors the OAuth callback — but doesn't do the merge.
+    // So we verify the merge logic by directly inspecting: after a real OAuth-style
+    // login (where the callback sees the guest cookie), the member has a userId set.
+    // We simulate this by manually running the merge path via the DB.
+    const { hashToken } = await import('../plugins/session.js');
+    const { users: usersTable } = await import('../db/index.js');
+    const [user] = await db.select().from(usersTable).where(eq(usersTable.email, 'alice-google@test.local'));
+
+    // Extract the raw token from the guest cookie string (format: "session_token=<value>; ...")
+    const rawToken = guestCookie.split('=')[1]!.split(';')[0]!;
+    const guestHash = hashToken(rawToken);
+
+    // Simulate what the OAuth callback does: link guest member to the Google user
+    await db.update(members).set({ userId: user!.id, sessionToken: null }).where(eq(members.sessionToken, guestHash));
+
+    // Now the Google session cookie should give access to the group
+    const res = await app.inject({
+      method: 'GET',
+      url: `/api/v1/groups/${group.id}/members`,
+      headers: { cookie: googleCookie },
+    });
+    expect(res.statusCode).toBe(200);
+  });
+
+  it('drops guest record when Google user is already a member of the group', async () => {
+    // Guest creates a group
+    const { group, cookie: guestCookie } = await createGroup('Conflict Test', 'Alice');
+
+    // The same person also has a Google account and is already a member of the group
+    const googleCookie = await loginUser('Alice Google', 'alice-conflict@test.local');
+    const { users: usersTable } = await import('../db/index.js');
+    const [user] = await db.select().from(usersTable).where(eq(usersTable.email, 'alice-conflict@test.local'));
+
+    // Insert an authenticated member record for the same group to simulate prior membership
+    await db.insert(members).values({ groupId: group.id, userId: user!.id, displayName: 'Alice', role: 'member' });
+
+    // Now run the merge: guest record should be soft-deleted, not conflict
+    const { hashToken } = await import('../plugins/session.js');
+    const rawToken = guestCookie.split('=')[1]!.split(';')[0]!;
+    const guestHash = hashToken(rawToken);
+
+    const guestMembers = await db.select().from(members).where(eq(members.sessionToken, guestHash));
+    for (const guestMember of guestMembers) {
+      const [existing] = await db
+        .select()
+        .from(members)
+        .where(and(eq(members.userId, user!.id), eq(members.groupId, guestMember.groupId)));
+      if (existing) {
+        await db.update(members).set({ leftAt: new Date() }).where(eq(members.id, guestMember.id));
+      }
+    }
+
+    // Guest member should now be soft-deleted (leftAt set, record still exists)
+    const [guestMember] = await db.select().from(members).where(eq(members.sessionToken, guestHash));
+    expect(guestMember).toBeDefined();
+    expect(guestMember!.leftAt).not.toBeNull();
+    const allGroupMembers = await db.select().from(members).where(eq(members.groupId, group.id));
+    const active = allGroupMembers.filter((m) => !m.leftAt);
+    expect(active).toHaveLength(1);
+    expect(active[0]!.userId).toBe(user!.id);
+
+    void googleCookie; // used for setup
+  });
+});
diff --git a/packages/shared/src/types.ts b/packages/shared/src/types.ts
index 4513e59..e840859 100644
--- a/packages/shared/src/types.ts
+++ b/packages/shared/src/types.ts
@@ -1,6 +1,13 @@
-export type MemberRole = 'owner' | 'admin' | 'member';
+export type MemberRole = 'owner' | 'member';
 export type SplitType = 'equal' | 'exact' | 'percentage';
 
+export interface User {
+  id: string;
+  email: string;
+  name: string;
+  avatarUrl: string | null;
+}
+
 export interface Group {
   id: string;
   name: string;
@@ -12,6 +19,7 @@ export interface Group {
 export interface Member {
   id: string;
   groupId: string;
+  userId: string | null;
   displayName: string;
   role: MemberRole;
   joinedAt: string;
@@ -65,7 +73,7 @@ export interface ActivityLogEntry {
 
 export interface CreateGroupRequest {
   name: string;
-  displayName: string;
+  displayName?: string;
 }
 
 export interface CreateGroupResponse {
@@ -104,6 +112,12 @@ export interface UpdateExpenseRequest {
   splits?: ExactSplitInput[] | PercentageSplitInput[];
 }
 
+export interface GroupListItem {
+  group: Group;
+  memberCount: number;
+  role: MemberRole;
+}
+
 export interface UpdateGroupSettingsRequest {
   name?: string;
   regenerateInviteCode?: boolean;
diff --git a/packages/web/e2e/helpers.ts b/packages/web/e2e/helpers.ts
index c23fe5c..962c7eb 100644
--- a/packages/web/e2e/helpers.ts
+++ b/packages/web/e2e/helpers.ts
@@ -1,5 +1,21 @@
 import { Page, Browser, BrowserContext, expect } from '@playwright/test';
 
+/**
+ * Log in as a test user via the test-only auth bypass.
+ */
+export async function login(
+  page: Page,
+  opts: { name?: string; email?: string } = {},
+): Promise<void> {
+  const res = await page.request.post('/api/v1/auth/test-login', {
+    data: {
+      name: opts.name ?? 'Test User',
+      email: opts.email,
+    },
+  });
+  expect(res.ok()).toBe(true);
+}
+
 /**
  * Create a group and return the group URL path and invite URL.
  */
@@ -10,8 +26,7 @@ export async function createGroup(
   const groupName = `[E2E] ${opts.groupName ?? 'Test Group'}`;
   const displayName = opts.displayName ?? 'Alice';
 
-  await page.goto('/');
-  await page.getByRole('link', { name: 'Create a group' }).click();
+  await page.goto('/create');
   await page.getByLabel('Group name').fill(groupName);
   await page.getByLabel('Your name').fill(displayName);
   await page.getByRole('button', { name: 'Create group' }).click();
@@ -36,7 +51,7 @@ export async function getInviteUrl(page: Page, groupId: string): Promise<string>
 }
 
 /**
- * Join a group in a new browser context and return the page + context.
+ * Join a group as a guest in a new browser context (no login required).
  */
 export async function joinGroup(
   browser: Browser,
@@ -73,4 +88,4 @@ export async function addExpense(
 export async function goToBalances(page: Page): Promise<void> {
   await page.getByRole('button', { name: 'balances' }).click();
   await page.getByText('Net balances').waitFor();
-}
\ No newline at end of file
+}
diff --git a/packages/web/e2e/smoke.spec.ts b/packages/web/e2e/smoke.spec.ts
index df4a3c3..f6ff858 100644
--- a/packages/web/e2e/smoke.spec.ts
+++ b/packages/web/e2e/smoke.spec.ts
@@ -1,15 +1,18 @@
 import { test, expect } from '@playwright/test';
-import { createGroup, getInviteUrl, joinGroup, addExpense, goToBalances } from './helpers.js';
+import { login, createGroup, getInviteUrl, joinGroup, addExpense, goToBalances } from './helpers.js';
 
 test.describe('Smoke test: walk through the app', () => {
-  test('landing page → create group → invite → add expense → balances → settings', async ({
+  test('login → home page → create group → invite → add expense → balances → settings', async ({
     page,
     browser,
   }) => {
-    // Landing page loads
+    // Log in as Alice
+    await login(page, { name: 'Alice', email: 'alice@test.local' });
+
+    // Home page loads with group list
     await page.goto('/');
     await expect(page.getByText('Tabby')).toBeVisible();
-    await expect(page.getByRole('link', { name: 'Create a group' })).toBeVisible();
+    await expect(page.getByText('Your groups')).toBeVisible();
 
     // Create a group
     const { groupId } = await createGroup(page, {
@@ -50,10 +53,11 @@ test.describe('Smoke test: walk through the app', () => {
     await bob.context.close();
   });
 
-  test('offline indicator appears when disconnected', async ({ page, context }) => {
+  test('offline indicator appears when disconnected', async ({ page }) => {
+    await login(page, { name: 'Alice', email: 'alice-offline@test.local' });
     await createGroup(page, { groupName: 'Offline Test', displayName: 'Alice' });
 
-    await context.setOffline(true);
+    await page.context().setOffline(true);
 
     await expect(
       page.getByText('Offline — showing cached data', { exact: false }),
@@ -62,7 +66,15 @@ test.describe('Smoke test: walk through the app', () => {
     await expect(page.getByRole('button', { name: /add expense/i })).not.toBeVisible();
   });
 
+  test('login page redirects authenticated users', async ({ page }) => {
+    await login(page, { name: 'Alice', email: 'alice-redirect@test.local' });
+    await page.goto('/login');
+    await page.waitForURL('/');
+    await expect(page.getByText('Tabby')).toBeVisible();
+  });
+
   test('invalid invite code shows not found', async ({ page }) => {
+    await login(page, { name: 'Alice', email: 'alice-invite@test.local' });
     await page.goto('/g/invalidcode123');
     await expect(page.getByText('Group not found')).toBeVisible();
   });
diff --git a/packages/web/src/App.tsx b/packages/web/src/App.tsx
index f72accf..9acea18 100644
--- a/packages/web/src/App.tsx
+++ b/packages/web/src/App.tsx
@@ -2,6 +2,8 @@ import { BrowserRouter, Routes, Route } from 'react-router-dom';
 import { QueryClientProvider } from '@tanstack/react-query';
 import { ReactQueryDevtools } from '@tanstack/react-query-devtools';
 import { queryClient } from './lib/queryClient.js';
+import { AuthProvider } from './lib/auth.js';
+import LoginPage from './pages/LoginPage.js';
 import HomePage from './pages/HomePage.js';
 import CreateGroupPage from './pages/CreateGroupPage.js';
 import JoinPage from './pages/JoinPage.js';
@@ -11,15 +13,18 @@ import SettingsPage from './pages/SettingsPage.js';
 export default function App() {
   return (
     <QueryClientProvider client={queryClient}>
-      <BrowserRouter>
-        <Routes>
-          <Route path="/" element={<HomePage />} />
-          <Route path="/create" element={<CreateGroupPage />} />
-          <Route path="/g/:inviteCode" element={<JoinPage />} />
-          <Route path="/groups/:id" element={<DashboardPage />} />
-          <Route path="/groups/:id/settings" element={<SettingsPage />} />
-        </Routes>
-      </BrowserRouter>
+      <AuthProvider>
+        <BrowserRouter>
+          <Routes>
+            <Route path="/login" element={<LoginPage />} />
+            <Route path="/" element={<HomePage />} />
+            <Route path="/g/:inviteCode" element={<JoinPage />} />
+            <Route path="/groups/:id" element={<DashboardPage />} />
+            <Route path="/groups/:id/settings" element={<SettingsPage />} />
+            <Route path="/create" element={<CreateGroupPage />} />
+          </Routes>
+        </BrowserRouter>
+      </AuthProvider>
       {import.meta.env.DEV && <ReactQueryDevtools />}
     </QueryClientProvider>
   );
diff --git a/packages/web/src/components/AddExpenseModal.tsx b/packages/web/src/components/AddExpenseModal.tsx
index f4ca6f3..112d8d7 100644
--- a/packages/web/src/components/AddExpenseModal.tsx
+++ b/packages/web/src/components/AddExpenseModal.tsx
@@ -1,5 +1,5 @@
 import { useState, FormEvent } from 'react';
-import type { Member, SplitType, ExactSplitInput, PercentageSplitInput } from '@tabby/shared';
+import type { Member, Expense, SplitType, ExactSplitInput, PercentageSplitInput } from '@tabby/shared';
 import { Modal } from './Modal.js';
 import { Button } from './Button.js';
 import { Input } from './Input.js';
@@ -9,6 +9,7 @@ interface AddExpenseModalProps {
   onClose: () => void;
   members: Member[];
   currentMemberId: string;
+  initialExpense?: Expense;
   onSave: (data: {
     description: string;
     amount: number;
@@ -23,14 +24,31 @@ export function AddExpenseModal({
   onClose,
   members,
   currentMemberId,
+  initialExpense,
   onSave,
 }: AddExpenseModalProps) {
-  const [description, setDescription] = useState('');
-  const [amount, setAmount] = useState('');
-  const [splitType, setSplitType] = useState<SplitType>('equal');
-  const [selectedIds, setSelectedIds] = useState<string[]>(members.map((m) => m.id));
-  const [exactAmounts, setExactAmounts] = useState<Record<string, string>>({});
-  const [percentages, setPercentages] = useState<Record<string, string>>({});
+  const isEditing = !!initialExpense;
+  const [description, setDescription] = useState(initialExpense?.description ?? '');
+  const [amount, setAmount] = useState(initialExpense ? String(Number(initialExpense.amount)) : '');
+  const [splitType, setSplitType] = useState<SplitType>(initialExpense?.splitType ?? 'equal');
+  const [selectedIds, setSelectedIds] = useState<string[]>(
+    initialExpense ? initialExpense.splits.map((s) => s.memberId) : members.map((m) => m.id),
+  );
+  const [exactAmounts, setExactAmounts] = useState<Record<string, string>>(
+    initialExpense?.splitType === 'exact'
+      ? Object.fromEntries(initialExpense.splits.map((s) => [s.memberId, String(Number(s.amount))]))
+      : {},
+  );
+  const [percentages, setPercentages] = useState<Record<string, string>>(
+    initialExpense?.splitType === 'percentage'
+      ? Object.fromEntries(
+          initialExpense.splits.map((s) => {
+            const pct = (Number(s.amount) / Number(initialExpense.amount)) * 100;
+            return [s.memberId, String(Math.round(pct))];
+          }),
+        )
+      : {},
+  );
   const [error, setError] = useState('');
   const [loading, setLoading] = useState(false);
 
@@ -85,7 +103,7 @@ export function AddExpenseModal({
   };
 
   return (
-    <Modal open={open} onClose={onClose} title="Add expense">
+    <Modal open={open} onClose={onClose} title={isEditing ? 'Edit expense' : 'Add expense'}>
       <form onSubmit={handleSubmit} className="space-y-4">
         <Input
           label="Description"
@@ -178,7 +196,7 @@ export function AddExpenseModal({
             Cancel
           </Button>
           <Button type="submit" loading={loading} className="flex-1">
-            Add expense
+            {isEditing ? 'Save changes' : 'Add expense'}
           </Button>
         </div>
       </form>
diff --git a/packages/web/src/components/CatBackground.tsx b/packages/web/src/components/CatBackground.tsx
new file mode 100644
index 0000000..f2404b6
--- /dev/null
+++ b/packages/web/src/components/CatBackground.tsx
@@ -0,0 +1,38 @@
+import { ReactNode } from 'react';
+
+interface CatBackgroundProps {
+  children: ReactNode;
+  className?: string;
+}
+
+// Inline SVG for a faint cat face silhouette pattern
+const catFaceSvg = `
+<svg xmlns="http://www.w3.org/2000/svg" width="80" height="80" viewBox="0 0 80 80">
+  <g opacity="0.04" fill="%236366F1">
+    <!-- Ears -->
+    <path d="M25 20L30 32H20L25 20Z"/>
+    <path d="M55 20L60 32H50L55 20Z"/>
+    <!-- Head -->
+    <ellipse cx="40" cy="40" rx="18" ry="16"/>
+    <!-- Eyes -->
+    <ellipse cx="34" cy="38" rx="2.5" ry="3" fill="white"/>
+    <ellipse cx="46" cy="38" rx="2.5" ry="3" fill="white"/>
+  </g>
+</svg>
+`.trim();
+
+const encodedSvg = `url("data:image/svg+xml,${encodeURIComponent(catFaceSvg)}")`;
+
+export function CatBackground({ children, className = '' }: CatBackgroundProps) {
+  return (
+    <div
+      className={`min-h-screen ${className}`}
+      style={{
+        backgroundImage: encodedSvg,
+        backgroundSize: '120px 120px',
+      }}
+    >
+      {children}
+    </div>
+  );
+}
diff --git a/packages/web/src/components/ConfirmDialog.tsx b/packages/web/src/components/ConfirmDialog.tsx
new file mode 100644
index 0000000..b0a5bb1
--- /dev/null
+++ b/packages/web/src/components/ConfirmDialog.tsx
@@ -0,0 +1,43 @@
+import { Modal } from './Modal.js';
+import { Button } from './Button.js';
+
+interface ConfirmDialogProps {
+  open: boolean;
+  onClose: () => void;
+  onConfirm: () => void;
+  title: string;
+  message: string;
+  confirmLabel?: string;
+  variant?: 'danger' | 'default';
+  loading?: boolean;
+}
+
+export function ConfirmDialog({
+  open,
+  onClose,
+  onConfirm,
+  title,
+  message,
+  confirmLabel = 'Confirm',
+  variant = 'default',
+  loading,
+}: ConfirmDialogProps) {
+  return (
+    <Modal open={open} onClose={onClose} title={title}>
+      <p className="text-sm text-gray-600 mb-6">{message}</p>
+      <div className="flex gap-3">
+        <Button variant="secondary" onClick={onClose} className="flex-1" disabled={loading}>
+          Cancel
+        </Button>
+        <Button
+          variant={variant === 'danger' ? 'danger' : 'primary'}
+          onClick={onConfirm}
+          loading={loading}
+          className="flex-1"
+        >
+          {confirmLabel}
+        </Button>
+      </div>
+    </Modal>
+  );
+}
diff --git a/packages/web/src/components/ProtectedRoute.tsx b/packages/web/src/components/ProtectedRoute.tsx
new file mode 100644
index 0000000..92fa695
--- /dev/null
+++ b/packages/web/src/components/ProtectedRoute.tsx
@@ -0,0 +1,21 @@
+import { Navigate, Outlet, useLocation } from 'react-router-dom';
+import { useAuth } from '../lib/auth.js';
+
+export function ProtectedRoute() {
+  const { user, isLoading } = useAuth();
+  const location = useLocation();
+
+  if (isLoading) {
+    return (
+      <div className="min-h-screen flex items-center justify-center">
+        <div className="animate-spin h-8 w-8 border-4 border-indigo-600 border-t-transparent rounded-full" />
+      </div>
+    );
+  }
+
+  if (!user) {
+    return <Navigate to={`/login?redirect=${encodeURIComponent(location.pathname)}`} replace />;
+  }
+
+  return <Outlet />;
+}
diff --git a/packages/web/src/components/TabbyLogo.tsx b/packages/web/src/components/TabbyLogo.tsx
new file mode 100644
index 0000000..fd53aba
--- /dev/null
+++ b/packages/web/src/components/TabbyLogo.tsx
@@ -0,0 +1,51 @@
+interface TabbyLogoProps {
+  size?: number;
+  className?: string;
+}
+
+export function TabbyLogo({ size = 48, className = '' }: TabbyLogoProps) {
+  return (
+    <svg
+      width={size}
+      height={size}
+      viewBox="0 0 64 64"
+      fill="none"
+      xmlns="http://www.w3.org/2000/svg"
+      className={className}
+    >
+      {/* Cat ears */}
+      <path d="M14 8L20 22H8L14 8Z" fill="#6366F1" />
+      <path d="M50 8L56 22H44L50 8Z" fill="#6366F1" />
+      <path d="M14 12L18 22H10L14 12Z" fill="#818CF8" />
+      <path d="M50 12L54 22H46L50 12Z" fill="#818CF8" />
+      {/* Head */}
+      <ellipse cx="32" cy="32" rx="20" ry="18" fill="#6366F1" />
+      {/* Inner face */}
+      <ellipse cx="32" cy="34" rx="14" ry="12" fill="#818CF8" />
+      {/* Eyes */}
+      <ellipse cx="25" cy="30" rx="3" ry="3.5" fill="white" />
+      <ellipse cx="39" cy="30" rx="3" ry="3.5" fill="white" />
+      <ellipse cx="25" cy="30" rx="1.5" ry="2" fill="#1E1B4B" />
+      <ellipse cx="39" cy="30" rx="1.5" ry="2" fill="#1E1B4B" />
+      {/* Nose */}
+      <path d="M30 35L32 37L34 35" fill="#E0E7FF" />
+      {/* Whiskers */}
+      <line x1="10" y1="33" x2="22" y2="35" stroke="#C7D2FE" strokeWidth="1" />
+      <line x1="10" y1="37" x2="22" y2="37" stroke="#C7D2FE" strokeWidth="1" />
+      <line x1="42" y1="35" x2="54" y2="33" stroke="#C7D2FE" strokeWidth="1" />
+      <line x1="42" y1="37" x2="54" y2="37" stroke="#C7D2FE" strokeWidth="1" />
+      {/* Mouth / smile */}
+      <path d="M28 38Q32 42 36 38" stroke="#C7D2FE" strokeWidth="1" fill="none" />
+      {/* Receipt/check held at bottom */}
+      <rect x="24" y="44" width="16" height="14" rx="1" fill="white" stroke="#A5B4FC" strokeWidth="1" />
+      <line x1="27" y1="48" x2="37" y2="48" stroke="#C7D2FE" strokeWidth="1.5" />
+      <line x1="27" y1="51" x2="35" y2="51" stroke="#C7D2FE" strokeWidth="1.5" />
+      <line x1="27" y1="54" x2="33" y2="54" stroke="#C7D2FE" strokeWidth="1.5" />
+      {/* Dollar sign on receipt */}
+      <text x="35" y="55" fontSize="6" fill="#6366F1" fontWeight="bold" fontFamily="sans-serif">$</text>
+      {/* Tabby stripes on forehead */}
+      <path d="M26 22Q32 18 38 22" stroke="#4F46E5" strokeWidth="1.5" fill="none" />
+      <path d="M28 25Q32 22 36 25" stroke="#4F46E5" strokeWidth="1.5" fill="none" />
+    </svg>
+  );
+}
diff --git a/packages/web/src/lib/api.ts b/packages/web/src/lib/api.ts
index 858372a..4f59f5a 100644
--- a/packages/web/src/lib/api.ts
+++ b/packages/web/src/lib/api.ts
@@ -3,7 +3,9 @@ import type {
   CreateGroupResponse,
   JoinGroupResponse,
   Group,
+  GroupListItem,
   Member,
+  User,
   Expense,
   BalancesResponse,
   ActivityLogEntry,
@@ -67,6 +69,9 @@ export const api = {
   getMembers: (groupId: string) =>
     request<Member[]>(`/api/v1/groups/${groupId}/members`),
 
+  getCurrentMember: (groupId: string) =>
+    request<Member>(`/api/v1/groups/${groupId}/me`),
+
   removeMember: (groupId: string, memberId: string) =>
     request<void>(`/api/v1/groups/${groupId}/members/${memberId}`, {
       method: 'DELETE',
@@ -103,4 +108,10 @@ export const api = {
 
   getActivity: (groupId: string) =>
     request<ActivityLogEntry[]>(`/api/v1/groups/${groupId}/activity`),
+
+  getMe: () => request<User>('/api/v1/auth/me'),
+
+  getMyGroups: () => request<GroupListItem[]>('/api/v1/me/groups'),
+
+  logout: () => request<void>('/api/v1/auth/logout', { method: 'POST' }),
 };
diff --git a/packages/web/src/lib/auth.tsx b/packages/web/src/lib/auth.tsx
new file mode 100644
index 0000000..c6a8d55
--- /dev/null
+++ b/packages/web/src/lib/auth.tsx
@@ -0,0 +1,50 @@
+import { createContext, useContext, ReactNode } from 'react';
+import { useQuery, useQueryClient } from '@tanstack/react-query';
+import type { User } from '@tabby/shared';
+import { api } from './api.js';
+import { queryKeys } from './queryKeys.js';
+
+interface AuthContextValue {
+  user: User | null;
+  isLoading: boolean;
+  login: (redirect?: string) => void;
+  logout: () => Promise<void>;
+}
+
+const AuthContext = createContext<AuthContextValue | null>(null);
+
+const BASE = import.meta.env.VITE_API_URL ?? '';
+
+export function AuthProvider({ children }: { children: ReactNode }) {
+  const queryClient = useQueryClient();
+
+  const { data: user, isLoading } = useQuery({
+    queryKey: queryKeys.me(),
+    queryFn: () => api.getMe(),
+    staleTime: Infinity,
+    retry: false,
+  });
+
+  const login = (redirect?: string) => {
+    const target = redirect ?? window.location.pathname;
+    window.location.href = `${BASE}/api/v1/auth/google?redirect=${encodeURIComponent(target)}`;
+  };
+
+  const logout = async () => {
+    await api.logout();
+    queryClient.setQueryData(queryKeys.me(), null);
+    window.location.href = '/login';
+  };
+
+  return (
+    <AuthContext.Provider value={{ user: user ?? null, isLoading, login, logout }}>
+      {children}
+    </AuthContext.Provider>
+  );
+}
+
+export function useAuth(): AuthContextValue {
+  const ctx = useContext(AuthContext);
+  if (!ctx) throw new Error('useAuth must be used within AuthProvider');
+  return ctx;
+}
diff --git a/packages/web/src/lib/queryKeys.ts b/packages/web/src/lib/queryKeys.ts
index dd9dbc5..e761d59 100644
--- a/packages/web/src/lib/queryKeys.ts
+++ b/packages/web/src/lib/queryKeys.ts
@@ -1,4 +1,7 @@
 export const queryKeys = {
+  me: () => ['me'] as const,
+  myGroups: () => ['myGroups'] as const,
+  currentMember: (groupId: string) => ['currentMember', groupId] as const,
   group: (groupId: string) => ['group', groupId] as const,
   members: (groupId: string) => ['members', groupId] as const,
   expenses: (groupId: string) => ['expenses', groupId] as const,
diff --git a/packages/web/src/pages/CreateGroupPage.tsx b/packages/web/src/pages/CreateGroupPage.tsx
index ceb9d99..14856c0 100644
--- a/packages/web/src/pages/CreateGroupPage.tsx
+++ b/packages/web/src/pages/CreateGroupPage.tsx
@@ -1,13 +1,18 @@
 import { useState, FormEvent } from 'react';
 import { useNavigate, Link } from 'react-router-dom';
+import { useQueryClient } from '@tanstack/react-query';
 import { api, ApiError } from '../lib/api.js';
+import { queryKeys } from '../lib/queryKeys.js';
+import { useAuth } from '../lib/auth.js';
 import { Button } from '../components/Button.js';
 import { Input } from '../components/Input.js';
 
 export default function CreateGroupPage() {
   const navigate = useNavigate();
+  const queryClient = useQueryClient();
+  const { user, login } = useAuth();
   const [groupName, setGroupName] = useState('');
-  const [displayName, setDisplayName] = useState('');
+  const [displayName, setDisplayName] = useState(user?.name ?? '');
   const [error, setError] = useState('');
   const [loading, setLoading] = useState(false);
 
@@ -16,8 +21,11 @@ export default function CreateGroupPage() {
     setError('');
     setLoading(true);
     try {
-      const { group, member } = await api.createGroup({ name: groupName.trim(), displayName: displayName.trim() });
-      localStorage.setItem(`member_hint_${group.id}`, member.id);
+      const { group } = await api.createGroup({
+        name: groupName.trim(),
+        displayName: displayName.trim(),
+      });
+      queryClient.invalidateQueries({ queryKey: queryKeys.myGroups() });
       navigate(`/groups/${group.id}`);
     } catch (err) {
       setError(err instanceof ApiError ? err.message : 'Something went wrong');
@@ -55,6 +63,19 @@ export default function CreateGroupPage() {
             required
             maxLength={50}
           />
+          {!user && (
+            <p className="text-xs text-gray-400">
+              Creating as a guest. Your session is saved to this browser only.{' '}
+              <button
+                type="button"
+                onClick={() => login('/create')}
+                className="text-indigo-500 hover:underline"
+              >
+                Sign in with Google
+              </button>{' '}
+              to keep access across devices.
+            </p>
+          )}
           {error && <p className="text-sm text-red-600">{error}</p>}
           <Button type="submit" loading={loading} className="w-full" size="lg">
             Create group
diff --git a/packages/web/src/pages/DashboardPage.tsx b/packages/web/src/pages/DashboardPage.tsx
index d4d3c0d..47f714d 100644
--- a/packages/web/src/pages/DashboardPage.tsx
+++ b/packages/web/src/pages/DashboardPage.tsx
@@ -1,13 +1,15 @@
 import { useState, useSyncExternalStore } from 'react';
 import { useParams, Link } from 'react-router-dom';
 import { useQuery, useMutation, useQueryClient, onlineManager } from '@tanstack/react-query';
-import type { Member, Expense, BalancesResponse } from '@tabby/shared';
+import type { Member, Expense, BalancesResponse, UpdateExpenseRequest } from '@tabby/shared';
 import { api, ApiError } from '../lib/api.js';
 import { queryKeys } from '../lib/queryKeys.js';
 import { Button } from '../components/Button.js';
 import { Avatar } from '../components/Avatar.js';
 import { Badge } from '../components/Badge.js';
 import { AddExpenseModal } from '../components/AddExpenseModal.js';
+import { ConfirmDialog } from '../components/ConfirmDialog.js';
+import { TabbyLogo } from '../components/TabbyLogo.js';
 
 function fmt(cents: number): string {
   return new Intl.NumberFormat('en-US', { style: 'currency', currency: 'USD' }).format(
@@ -28,6 +30,8 @@ export default function DashboardPage() {
   const queryClient = useQueryClient();
 
   const [showAddExpense, setShowAddExpense] = useState(false);
+  const [editingExpense, setEditingExpense] = useState<Expense | null>(null);
+  const [pendingDeleteId, setPendingDeleteId] = useState<string | null>(null);
   const [activeTab, setActiveTab] = useState<'expenses' | 'balances'>('expenses');
 
   const sharedQueryOptions = {
@@ -53,9 +57,15 @@ export default function DashboardPage() {
     ...sharedQueryOptions,
   });
 
+  const currentMemberQuery = useQuery({
+    queryKey: queryKeys.currentMember(id!),
+    queryFn: () => api.getCurrentMember(id!),
+  });
+
   const members: Member[] = membersQuery.data ?? [];
   const expenses: Expense[] = expensesQuery.data ?? [];
   const balances: BalancesResponse | null = balancesQuery.data ?? null;
+  const currentMember: Member | null = currentMemberQuery.data ?? null;
 
   // Build a name map that includes ghost (soft-deleted) members from the
   // balances response — active members alone won't cover settlement participants
@@ -71,10 +81,6 @@ export default function DashboardPage() {
     }
   }
 
-  // Derive current member from query data — no separate useState needed
-  const storedId = localStorage.getItem(`member_hint_${id}`);
-  const currentMember = members.find((m) => m.id === storedId) ?? null;
-
   // Distinguish 401 (session gone) from 410 (group expired) for distinct UI states
   const anyError = membersQuery.error ?? expensesQuery.error ?? balancesQuery.error;
   const isExpired = !!anyError && (anyError as ApiError)?.status === 410;
@@ -102,9 +108,20 @@ export default function DashboardPage() {
     },
   });
 
-  const handleDeleteExpense = (expenseId: string) => {
-    if (!confirm('Delete this expense?')) return;
-    deleteExpenseMutation.mutate(expenseId);
+  const updateExpenseMutation = useMutation({
+    mutationFn: ({ expenseId, data }: { expenseId: string; data: UpdateExpenseRequest }) =>
+      api.updateExpense(id!, expenseId, data),
+    onSuccess: () => {
+      queryClient.invalidateQueries({ queryKey: queryKeys.expenses(id!) });
+      queryClient.invalidateQueries({ queryKey: queryKeys.balances(id!) });
+    },
+  });
+
+  const handleDeleteExpense = () => {
+    if (!pendingDeleteId) return;
+    deleteExpenseMutation.mutate(pendingDeleteId, {
+      onSuccess: () => setPendingDeleteId(null),
+    });
   };
 
   if (isLoading) {
@@ -121,7 +138,11 @@ export default function DashboardPage() {
     <div className="min-h-screen bg-gray-50">
       <header className="bg-white border-b border-gray-200 sticky top-0 z-10">
         <div className="max-w-2xl mx-auto px-4 py-3 flex items-center justify-between">
-          <div>
+          <div className="flex items-center gap-3">
+            <Link to="/" className="flex items-center gap-2 hover:opacity-80 transition-opacity">
+              <TabbyLogo size={28} />
+            </Link>
+            <Link to="/" className="text-indigo-600 hover:underline text-sm">← Home</Link>
             <h1 className="text-lg font-bold text-gray-900">Group Dashboard</h1>
             {!isOnline && (
               <p className="text-xs text-yellow-600">
@@ -206,8 +227,7 @@ export default function DashboardPage() {
                 const canEdit =
                   currentMember &&
                   (exp.paidBy === currentMember.id ||
-                    currentMember.role === 'owner' ||
-                    currentMember.role === 'admin');
+                    currentMember.role === 'owner');
                 return (
                   <div key={exp.id} className="bg-white rounded-xl p-4 shadow-sm border border-gray-100">
                     <div className="flex items-start justify-between gap-2">
@@ -223,16 +243,27 @@ export default function DashboardPage() {
                           ${Number(exp.amount).toFixed(2)}
                         </span>
                         {canEdit && (
-                          <button
-                            onClick={() => handleDeleteExpense(exp.id)}
-                            disabled={deleteExpenseMutation.isPending}
-                            className="text-gray-300 hover:text-red-400 transition-colors disabled:opacity-50"
-                            aria-label="Delete expense"
-                          >
-                            <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
-                              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 7l-.867 12.142A2 2 0 0116.138 21H7.862a2 2 0 01-1.995-1.858L5 7m5 4v6m4-6v6m1-10V4a1 1 0 00-1-1h-4a1 1 0 00-1 1v3M4 7h16" />
-                            </svg>
-                          </button>
+                          <>
+                            <button
+                              onClick={() => setEditingExpense(exp)}
+                              className="text-gray-300 hover:text-indigo-500 transition-colors"
+                              aria-label="Edit expense"
+                            >
+                              <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M15.232 5.232l3.536 3.536m-2.036-5.036a2.5 2.5 0 113.536 3.536L6.5 21.036H3v-3.572L16.732 3.732z" />
+                              </svg>
+                            </button>
+                            <button
+                              onClick={() => setPendingDeleteId(exp.id)}
+                              disabled={deleteExpenseMutation.isPending}
+                              className="text-gray-300 hover:text-red-400 transition-colors disabled:opacity-50"
+                              aria-label="Delete expense"
+                            >
+                              <svg className="w-4 h-4" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+                                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 7l-.867 12.142A2 2 0 0116.138 21H7.862a2 2 0 01-1.995-1.858L5 7m5 4v6m4-6v6m1-10V4a1 1 0 00-1-1h-4a1 1 0 00-1 1v3M4 7h16" />
+                              </svg>
+                            </button>
+                          </>
                         )}
                       </div>
                     </div>
@@ -290,15 +321,40 @@ export default function DashboardPage() {
         )}
       </main>
 
+      <ConfirmDialog
+        open={!!pendingDeleteId}
+        onClose={() => setPendingDeleteId(null)}
+        onConfirm={handleDeleteExpense}
+        title="Delete expense"
+        message="Are you sure you want to delete this expense? This action cannot be undone."
+        confirmLabel="Delete"
+        variant="danger"
+        loading={deleteExpenseMutation.isPending}
+      />
+
       {currentMember && (
-        <AddExpenseModal
-          key={String(showAddExpense)}
-          open={showAddExpense}
-          onClose={() => setShowAddExpense(false)}
-          members={members}
-          currentMemberId={currentMember.id}
-          onSave={async (data) => { await addExpenseMutation.mutateAsync(data); }}
-        />
+        <>
+          <AddExpenseModal
+            key={String(showAddExpense)}
+            open={showAddExpense}
+            onClose={() => setShowAddExpense(false)}
+            members={members}
+            currentMemberId={currentMember.id}
+            onSave={async (data) => { await addExpenseMutation.mutateAsync(data); }}
+          />
+          <AddExpenseModal
+            key={editingExpense?.id ?? 'edit-closed'}
+            open={!!editingExpense}
+            onClose={() => setEditingExpense(null)}
+            members={members}
+            currentMemberId={currentMember.id}
+            initialExpense={editingExpense ?? undefined}
+            onSave={async (data) => {
+              await updateExpenseMutation.mutateAsync({ expenseId: editingExpense!.id, data });
+              setEditingExpense(null);
+            }}
+          />
+        </>
       )}
     </div>
   );
diff --git a/packages/web/src/pages/HomePage.tsx b/packages/web/src/pages/HomePage.tsx
index b08affa..23269af 100644
--- a/packages/web/src/pages/HomePage.tsx
+++ b/packages/web/src/pages/HomePage.tsx
@@ -1,41 +1,130 @@
 import { Link } from 'react-router-dom';
+import { useQuery } from '@tanstack/react-query';
+import { useAuth } from '../lib/auth.js';
+import { api } from '../lib/api.js';
+import { queryKeys } from '../lib/queryKeys.js';
 import { Button } from '../components/Button.js';
+import { Badge } from '../components/Badge.js';
+import { TabbyLogo } from '../components/TabbyLogo.js';
+import { CatBackground } from '../components/CatBackground.js';
 
 export default function HomePage() {
+  const { user, isLoading: authLoading, login } = useAuth();
+
+  const groupsQuery = useQuery({
+    queryKey: queryKeys.myGroups(),
+    queryFn: () => api.getMyGroups(),
+    retry: false,
+  });
+
+  const groups = groupsQuery.data ?? [];
+
+  // Show landing page only when we're certain there's no session at all
+  if (!authLoading && !groupsQuery.isLoading && !user && groups.length === 0) {
+    return (
+      <CatBackground className="flex flex-col items-center justify-center p-6 bg-gradient-to-b from-indigo-50 to-white">
+        <div className="max-w-md w-full text-center space-y-8">
+          <div className="space-y-3">
+            <div className="flex justify-center">
+              <TabbyLogo size={72} />
+            </div>
+            <h1 className="text-4xl font-bold text-indigo-600">Tabby</h1>
+            <p className="text-gray-500">Keep your tabs in check.</p>
+          </div>
+
+          <div className="space-y-3">
+            <Link to="/create" className="block">
+              <Button size="lg" className="w-full">
+                Create a group
+              </Button>
+            </Link>
+            <Button size="lg" className="w-full" variant="secondary" onClick={() => login('/')}>
+              Sign in with Google
+            </Button>
+            <p className="text-sm text-gray-400">
+              Have an invite link? Open it directly — no sign-in needed.
+            </p>
+          </div>
+
+          <div className="grid grid-cols-3 gap-4 pt-4">
+            {[
+              { icon: '🔗', title: 'Share a link', desc: 'Invite friends instantly' },
+              { icon: '📊', title: 'Track expenses', desc: 'Equal, exact, or % splits' },
+              { icon: '✅', title: 'Settle up', desc: 'Fewest transactions possible' },
+            ].map((item) => (
+              <div key={item.title} className="text-center space-y-1">
+                <div className="text-2xl">{item.icon}</div>
+                <div className="text-sm font-medium text-gray-700">{item.title}</div>
+                <div className="text-xs text-gray-400">{item.desc}</div>
+              </div>
+            ))}
+          </div>
+        </div>
+      </CatBackground>
+    );
+  }
+
+  // Loading state
+  if (authLoading || groupsQuery.isLoading) {
+    return (
+      <div className="min-h-screen flex items-center justify-center">
+        <div className="animate-spin h-8 w-8 border-4 border-indigo-600 border-t-transparent rounded-full" />
+      </div>
+    );
+  }
+
+  // Logged in — show group list
   return (
-    <div className="min-h-screen flex flex-col items-center justify-center p-6 bg-gradient-to-b from-indigo-50 to-white">
-      <div className="max-w-md w-full text-center space-y-8">
-        <div>
-          <div className="text-5xl mb-4">💸</div>
-          <h1 className="text-4xl font-bold text-gray-900">Tabby</h1>
-          <p className="mt-3 text-lg text-gray-500">
-            Split expenses with friends. No account required.
-          </p>
+    <div className="min-h-screen bg-gray-50">
+      <header className="bg-white border-b border-gray-200">
+        <div className="max-w-2xl mx-auto px-4 py-3 flex items-center justify-between">
+          <div className="flex items-center gap-2">
+            <TabbyLogo size={28} />
+            <h1 className="text-lg font-bold text-indigo-600">Tabby</h1>
+          </div>
+          <div className="flex items-center gap-3">
+            <span className="text-sm text-gray-500">{user?.name}</span>
+          </div>
         </div>
+      </header>
 
-        <div className="space-y-4">
-          <Link to="/create" className="block">
-            <Button size="lg" className="w-full">Create a group</Button>
+      <main className="max-w-2xl mx-auto px-4 py-6 space-y-6">
+        <div className="flex items-center justify-between">
+          <h2 className="text-sm font-semibold text-gray-500 uppercase tracking-wider">Your groups</h2>
+          <Link to="/create">
+            <Button size="sm">+ New group</Button>
           </Link>
-          <p className="text-sm text-gray-400">
-            Have an invite link? Open it to join a group.
-          </p>
         </div>
 
-        <div className="grid grid-cols-3 gap-4 pt-4">
-          {[
-            { icon: '🔗', title: 'Share a link', desc: 'Invite friends instantly' },
-            { icon: '📊', title: 'Track expenses', desc: 'Equal, exact, or % splits' },
-            { icon: '✅', title: 'Settle up', desc: 'Fewest transactions possible' },
-          ].map((item) => (
-            <div key={item.title} className="text-center space-y-1">
-              <div className="text-2xl">{item.icon}</div>
-              <div className="text-sm font-medium text-gray-700">{item.title}</div>
-              <div className="text-xs text-gray-400">{item.desc}</div>
-            </div>
+        {groups.length === 0 && (
+          <div className="text-center py-12 space-y-4">
+            <p className="text-gray-400">You&apos;re not in any groups yet.</p>
+            <Link to="/create">
+              <Button>Create your first group</Button>
+            </Link>
+          </div>
+        )}
+
+        <div className="space-y-3">
+          {groups.map((item) => (
+            <Link
+              key={item.group.id}
+              to={`/groups/${item.group.id}`}
+              className="block bg-white rounded-xl p-4 shadow-sm border border-gray-100 hover:border-indigo-200 transition-colors"
+            >
+              <div className="flex items-center justify-between">
+                <div>
+                  <h3 className="font-medium text-gray-900">{item.group.name}</h3>
+                  <p className="text-xs text-gray-500 mt-0.5">
+                    {item.memberCount} {item.memberCount === 1 ? 'member' : 'members'}
+                  </p>
+                </div>
+                <Badge variant="indigo">{item.role}</Badge>
+              </div>
+            </Link>
           ))}
         </div>
-      </div>
+      </main>
     </div>
   );
 }
diff --git a/packages/web/src/pages/JoinPage.tsx b/packages/web/src/pages/JoinPage.tsx
index 023b151..e69d2c1 100644
--- a/packages/web/src/pages/JoinPage.tsx
+++ b/packages/web/src/pages/JoinPage.tsx
@@ -1,12 +1,17 @@
 import { useState, FormEvent, useEffect } from 'react';
-import { useNavigate, useParams } from 'react-router-dom';
+import { useNavigate, useParams, Link } from 'react-router-dom';
+import { useQueryClient } from '@tanstack/react-query';
 import { api, ApiError } from '../lib/api.js';
+import { queryKeys } from '../lib/queryKeys.js';
+import { useAuth } from '../lib/auth.js';
 import { Button } from '../components/Button.js';
 import { Input } from '../components/Input.js';
 
 export default function JoinPage() {
   const { inviteCode } = useParams<{ inviteCode: string }>();
   const navigate = useNavigate();
+  const queryClient = useQueryClient();
+  const { user, isLoading: authLoading } = useAuth();
   const [displayName, setDisplayName] = useState('');
   const [groupName, setGroupName] = useState('');
   const [memberCount, setMemberCount] = useState(0);
@@ -15,6 +20,13 @@ export default function JoinPage() {
   const [fetching, setFetching] = useState(true);
   const [expired, setExpired] = useState(false);
 
+  // Pre-fill display name once auth resolves
+  useEffect(() => {
+    if (!authLoading && user && !displayName) {
+      setDisplayName(user.name);
+    }
+  }, [authLoading, user, displayName]);
+
   useEffect(() => {
     if (!inviteCode) return;
     api
@@ -34,8 +46,8 @@ export default function JoinPage() {
     setError('');
     setLoading(true);
     try {
-      const { group, member } = await api.joinGroup(inviteCode, displayName.trim());
-      localStorage.setItem(`member_hint_${group.id}`, member.id);
+      const { group } = await api.joinGroup(inviteCode, displayName.trim());
+      queryClient.invalidateQueries({ queryKey: queryKeys.myGroups() });
       navigate(`/groups/${group.id}`);
     } catch (err) {
       setError(err instanceof ApiError ? err.message : 'Something went wrong');
@@ -87,8 +99,20 @@ export default function JoinPage() {
               onChange={(e) => setDisplayName(e.target.value)}
               required
               maxLength={50}
-              autoFocus
+              autoFocus={!user}
             />
+            {!user && !authLoading && (
+              <p className="text-xs text-gray-400">
+                Joining as a guest.{' '}
+                <Link
+                  to={`/login?redirect=/g/${inviteCode}`}
+                  className="text-indigo-500 hover:underline"
+                >
+                  Sign in with Google
+                </Link>{' '}
+                to keep access across devices.
+              </p>
+            )}
             {error && <p className="text-sm text-red-600">{error}</p>}
             <Button type="submit" loading={loading} className="w-full" size="lg">
               Join group
diff --git a/packages/web/src/pages/LoginPage.tsx b/packages/web/src/pages/LoginPage.tsx
new file mode 100644
index 0000000..9d0e480
--- /dev/null
+++ b/packages/web/src/pages/LoginPage.tsx
@@ -0,0 +1,63 @@
+import { useSearchParams, Navigate } from 'react-router-dom';
+import { useAuth } from '../lib/auth.js';
+import { Button } from '../components/Button.js';
+import { TabbyLogo } from '../components/TabbyLogo.js';
+import { CatBackground } from '../components/CatBackground.js';
+
+export default function LoginPage() {
+  const { user, isLoading, login } = useAuth();
+  const [searchParams] = useSearchParams();
+  const redirect = searchParams.get('redirect') ?? '/';
+
+  if (isLoading) {
+    return (
+      <div className="min-h-screen flex items-center justify-center">
+        <div className="animate-spin h-8 w-8 border-4 border-indigo-600 border-t-transparent rounded-full" />
+      </div>
+    );
+  }
+
+  if (user) {
+    return <Navigate to={redirect} replace />;
+  }
+
+  return (
+    <CatBackground className="flex items-center justify-center bg-gradient-to-b from-indigo-50 to-white px-4">
+      <div className="max-w-sm w-full text-center space-y-8">
+        <div className="space-y-3">
+          <div className="flex justify-center">
+            <TabbyLogo size={72} />
+          </div>
+          <h1 className="text-4xl font-bold text-indigo-600">Tabby</h1>
+          <p className="text-gray-500">Keep your tabs in check.</p>
+        </div>
+
+        <Button
+          onClick={() => login(redirect)}
+          size="lg"
+          className="w-full"
+        >
+          <svg className="w-5 h-5" viewBox="0 0 24 24">
+            <path
+              fill="currentColor"
+              d="M22.56 12.25c0-.78-.07-1.53-.2-2.25H12v4.26h5.92a5.06 5.06 0 01-2.2 3.32v2.77h3.57c2.08-1.92 3.28-4.74 3.28-8.1z"
+            />
+            <path
+              fill="currentColor"
+              d="M12 23c2.97 0 5.46-.98 7.28-2.66l-3.57-2.77c-.98.66-2.23 1.06-3.71 1.06-2.86 0-5.29-1.93-6.16-4.53H2.18v2.84C3.99 20.53 7.7 23 12 23z"
+            />
+            <path
+              fill="currentColor"
+              d="M5.84 14.09c-.22-.66-.35-1.36-.35-2.09s.13-1.43.35-2.09V7.07H2.18C1.43 8.55 1 10.22 1 12s.43 3.45 1.18 4.93l2.85-2.22.81-.62z"
+            />
+            <path
+              fill="currentColor"
+              d="M12 5.38c1.62 0 3.06.56 4.21 1.64l3.15-3.15C17.45 2.09 14.97 1 12 1 7.7 1 3.99 3.47 2.18 7.07l3.66 2.84c.87-2.6 3.3-4.53 6.16-4.53z"
+            />
+          </svg>
+          Sign in with Google
+        </Button>
+      </div>
+    </CatBackground>
+  );
+}
diff --git a/packages/web/src/pages/SettingsPage.tsx b/packages/web/src/pages/SettingsPage.tsx
index 1ab9bdd..7b0314c 100644
--- a/packages/web/src/pages/SettingsPage.tsx
+++ b/packages/web/src/pages/SettingsPage.tsx
@@ -6,6 +6,8 @@ import { api, ApiError } from '../lib/api.js';
 import { queryKeys } from '../lib/queryKeys.js';
 import { Button } from '../components/Button.js';
 import { Input } from '../components/Input.js';
+import { ConfirmDialog } from '../components/ConfirmDialog.js';
+import { TabbyLogo } from '../components/TabbyLogo.js';
 
 export default function SettingsPage() {
   const { id } = useParams<{ id: string }>();
@@ -13,6 +15,8 @@ export default function SettingsPage() {
   const [error, setError] = useState('');
   const [success, setSuccess] = useState('');
   const [copied, setCopied] = useState(false);
+  const [showRegenerateConfirm, setShowRegenerateConfirm] = useState(false);
+  const [pendingRemoveMemberId, setPendingRemoveMemberId] = useState<string | null>(null);
 
   // Fetch group data on mount — fixes the bug where inviteCode was only
   // available after clicking "Regenerate"
@@ -31,12 +35,14 @@ export default function SettingsPage() {
     queryFn: () => api.getActivity(id!),
   });
 
+  const currentMemberQuery = useQuery({
+    queryKey: queryKeys.currentMember(id!),
+    queryFn: () => api.getCurrentMember(id!),
+  });
+
   const members: Member[] = membersQuery.data ?? [];
   const activityLog: ActivityLogEntry[] = activityQuery.data ?? [];
-
-  // Derive current member from query data
-  const storedId = localStorage.getItem(`member_hint_${id}`);
-  const currentMember = members.find((m) => m.id === storedId) ?? null;
+  const currentMember: Member | null = currentMemberQuery.data ?? null;
 
   // Controlled input for group name — initialized from query data
   const [name, setName] = useState('');
@@ -81,7 +87,6 @@ export default function SettingsPage() {
   };
 
   const handleRegenerateLink = async () => {
-    if (!confirm('Regenerate invite link? The old link will stop working.')) return;
     setError('');
     try {
       await updateSettingsMutation.mutateAsync({ regenerateInviteCode: true });
@@ -89,25 +94,31 @@ export default function SettingsPage() {
       setTimeout(() => setSuccess(''), 3000);
     } catch (err) {
       setError(err instanceof ApiError ? err.message : 'Failed to regenerate');
+    } finally {
+      setShowRegenerateConfirm(false);
     }
   };
 
-  const handleRemoveMember = async (memberId: string) => {
-    if (!confirm('Remove this member?')) return;
+  const handleRemoveMember = async () => {
+    if (!pendingRemoveMemberId) return;
     try {
-      await removeMemberMutation.mutateAsync(memberId);
+      await removeMemberMutation.mutateAsync(pendingRemoveMemberId);
     } catch (err) {
       setError(err instanceof ApiError ? err.message : 'Failed to remove member');
+    } finally {
+      setPendingRemoveMemberId(null);
     }
   };
 
   const isOwner = currentMember?.role === 'owner';
-  const isAdmin = currentMember?.role === 'owner' || currentMember?.role === 'admin';
 
   return (
     <div className="min-h-screen bg-gray-50">
       <header className="bg-white border-b border-gray-200">
         <div className="max-w-2xl mx-auto px-4 py-3 flex items-center gap-3">
+          <Link to="/" className="flex items-center hover:opacity-80 transition-opacity">
+            <TabbyLogo size={28} />
+          </Link>
           <Link to={`/groups/${id}`} className="text-indigo-600 hover:underline text-sm">
             ← Back
           </Link>
@@ -156,7 +167,7 @@ export default function SettingsPage() {
                 <Button
                   variant="ghost"
                   size="sm"
-                  onClick={handleRegenerateLink}
+                  onClick={() => setShowRegenerateConfirm(true)}
                   loading={updateSettingsMutation.isPending}
                 >
                   Regenerate link
@@ -168,7 +179,7 @@ export default function SettingsPage() {
           )}
         </section>
 
-        {isAdmin && (
+        {isOwner && (
           <section className="bg-white rounded-xl p-5 shadow-sm border border-gray-100 space-y-3">
             <h2 className="font-semibold text-gray-900">Members</h2>
             <div className="space-y-2">
@@ -182,7 +193,7 @@ export default function SettingsPage() {
                     <Button
                       variant="ghost"
                       size="sm"
-                      onClick={() => handleRemoveMember(m.id)}
+                      onClick={() => setPendingRemoveMemberId(m.id)}
                       className="text-red-500 hover:text-red-700"
                     >
                       Remove
@@ -213,6 +224,28 @@ export default function SettingsPage() {
           </section>
         )}
       </main>
+
+      <ConfirmDialog
+        open={showRegenerateConfirm}
+        onClose={() => setShowRegenerateConfirm(false)}
+        onConfirm={handleRegenerateLink}
+        title="Regenerate invite link"
+        message="The current invite link will stop working. Anyone with the old link won't be able to join."
+        confirmLabel="Regenerate"
+        variant="danger"
+        loading={updateSettingsMutation.isPending}
+      />
+
+      <ConfirmDialog
+        open={!!pendingRemoveMemberId}
+        onClose={() => setPendingRemoveMemberId(null)}
+        onConfirm={handleRemoveMember}
+        title="Remove member"
+        message="Are you sure you want to remove this member from the group?"
+        confirmLabel="Remove"
+        variant="danger"
+        loading={removeMemberMutation.isPending}
+      />
     </div>
   );
 }