diff --git a/api/login.php b/api/login.php
new file mode 100644
index 0000000..f77cd7f
--- /dev/null
+++ b/api/login.php
@@ -0,0 +1,56 @@
+<?php
+// Start session at the very beginning
+session_start();
+
+// Set headers
+header('Content-Type: application/json');
+
+// Database connection
+require_once '../db/config.php'; // Adjust path as needed
+
+// Get JSON input
+$input = json_decode(file_get_contents('php://input'), true);
+
+if (!$input || !isset($input['email']) || !isset($input['password'])) {
+    http_response_code(400);
+    echo json_encode(['success' => false, 'message' => 'Email and password are required.']);
+    exit();
+}
+
+$email = trim($input['email']);
+$password = $input['password'];
+
+try {
+    // Query user from database
+    $stmt = $pdo->prepare("SELECT * FROM users WHERE email = ? LIMIT 1");
+    $stmt->execute([$email]);
+    $user = $stmt->fetch(PDO::FETCH_ASSOC);
+
+    if ($user && password_verify($password, $user['password'])) {
+        // Regenerate session ID for security
+        session_regenerate_id(true);
+        
+        // Set session variables
+        $_SESSION['user_id'] = $user['id'];
+        $_SESSION['role'] = $user['role'];
+        $_SESSION['user_name'] = $user['name'];
+        $_SESSION['email'] = $user['email'];
+        $_SESSION['logged_in'] = true;
+        
+        // Force session to be written
+        session_write_close();
+
+        echo json_encode([
+            'success' => true, 
+            'message' => 'Login successful',
+            'redirect' => 'index.php'
+        ]);
+    } else {
+        http_response_code(401);
+        echo json_encode(['success' => false, 'message' => 'Invalid email or password.']);
+    }
+} catch (Exception $e) {
+    error_log("Login error: " . $e->getMessage());
+    http_response_code(500);
+    echo json_encode(['success' => false, 'message' => 'Server error occurred.']);
+}
\ No newline at end of file