diff --git a/src/components/Icon.svelte b/src/components/Icon.svelte
index 869d4cf46..e72ad138a 100644
--- a/src/components/Icon.svelte
+++ b/src/components/Icon.svelte
@@ -20,7 +20,8 @@ const materialExceptions: Record<string, string> = {
 	currency_bitcoin: "material-symbols:currency-bitcoin",
 	close_round: "ic:round-close",
 	my_location: "material-symbols:my-location-rounded",
-	bookmark_filled: "ic:baseline-bookmark",
+	bookmark_filled: "ic:baseline-bookmark-added",
+	account_circle_filled: "ic:baseline-account-circle",
 };
 
 const faBrandIcons = ["x-twitter", "instagram", "facebook", "twitter"];
diff --git a/src/components/SaveButton.svelte b/src/components/SaveButton.svelte
index fb7d77a28..94c786c2c 100644
--- a/src/components/SaveButton.svelte
+++ b/src/components/SaveButton.svelte
@@ -1,7 +1,14 @@
 <script lang="ts">
+import SaveAuthPrompt from "$components/auth/SaveAuthPrompt.svelte";
 import Icon from "$components/Icon.svelte";
-import api from "$lib/axios";
 import { _ } from "$lib/i18n";
+import type { SavedItemType } from "$lib/savedItems";
+import {
+	getSavedList,
+	putSavedList,
+	setSavedList,
+	toggleSavedLocal,
+} from "$lib/savedItems";
 import { session } from "$lib/session";
 import { errToast } from "$lib/utils";
 
@@ -9,7 +16,7 @@ import { errToast } from "$lib/utils";
 export let id: number;
 
 // Whether this saves a place or an area.
-export let type: "place" | "area" = "place";
+export let type: SavedItemType = "place";
 
 // Optional className passthrough for layout-specific styling.
 let className: string | undefined = undefined;
@@ -17,79 +24,33 @@ let className: string | undefined = undefined;
 export { className as class };
 
 let pending = false;
+let showPrompt = false;
 
-$: savedList =
-	type === "place"
-		? ($session?.savedPlaces ?? [])
-		: ($session?.savedAreas ?? []);
+$: savedList = getSavedList($session, type);
 $: saved = savedList.includes(id);
 
-// SvelteKit server routes that proxy to the btcmap API (avoids CORS preflight).
-const PROXY_ENDPOINTS = {
-	place: "/api/session/saved-places",
-	area: "/api/session/saved-areas",
-} as const;
-
-async function putSaved(token: string, ids: number[]): Promise<number[]> {
-	const res = await api.put<number[]>(PROXY_ENDPOINTS[type], ids, {
-		headers: { Authorization: `Bearer ${token}` },
-	});
-	if (!Array.isArray(res.data)) {
-		throw new Error(
-			`PUT ${PROXY_ENDPOINTS[type]} returned an unexpected response`,
-		);
-	}
-	return res.data;
-}
-
 async function toggle() {
 	if (pending) return;
-	pending = true;
 
-	const previousSession = $session;
-	const previousSaved =
-		type === "place"
-			? (previousSession?.savedPlaces ?? [])
-			: (previousSession?.savedAreas ?? []);
+	// No session — open the auth prompt instead of silently creating an account.
+	// The modal handles signup/login and performs the save itself.
+	if (!$session) {
+		showPrompt = true;
+		return;
+	}
 
+	pending = true;
+	const previousSaved = [...savedList];
 	try {
-		let current = previousSession;
-		if (!current) {
-			current = await session.signUp();
-		}
-
-		const nextSaved =
-			type === "place"
-				? session.toggleSavedPlace(id)
-				: session.toggleSavedArea(id);
+		const nextSaved = toggleSavedLocal(type, id);
 		if (!nextSaved) throw new Error("toggle returned null (no session)");
 
 		// Write the server's canonical list back to the store so the client
 		// stays in sync even if the server deduplicates or rejects IDs.
-		const serverList = await putSaved(current.token, nextSaved);
-		if (type === "place") {
-			session.setSavedPlaces(serverList);
-		} else {
-			session.setSavedAreas(serverList);
-		}
+		const serverList = await putSavedList(type, $session.token, nextSaved);
+		setSavedList(type, serverList);
 	} catch (err) {
-		if (previousSession) {
-			if (type === "place") {
-				session.setSavedPlaces(previousSaved);
-			} else {
-				session.setSavedAreas(previousSaved);
-			}
-		} else {
-			// signUp() succeeded but the PUT failed. Don't clear the session —
-			// the account and token are valid. Just rollback the saved list to
-			// empty so the next click retries with the same account instead of
-			// creating another orphan.
-			if (type === "place") {
-				session.setSavedPlaces([]);
-			} else {
-				session.setSavedAreas([]);
-			}
-		}
+		setSavedList(type, previousSaved);
 		errToast($_(`merchant.saveFailed`));
 		console.error("SaveButton.toggle failed", err);
 	} finally {
@@ -130,3 +91,5 @@ async function toggle() {
 		>
 	</span>
 </button>
+
+<SaveAuthPrompt bind:open={showPrompt} {id} {type} />
diff --git a/src/components/auth/BackupCredentials.svelte b/src/components/auth/BackupCredentials.svelte
new file mode 100644
index 000000000..aaad92260
--- /dev/null
+++ b/src/components/auth/BackupCredentials.svelte
@@ -0,0 +1,106 @@
+<script lang="ts">
+import Icon from "$components/Icon.svelte";
+import { _ } from "$lib/i18n";
+import { errToast, successToast } from "$lib/utils";
+
+export let username: string;
+export let password: string | null;
+// idPrefix avoids element-id collisions if two instances ever mount at once.
+export let idPrefix = "backup";
+
+let showPassword = false;
+
+async function copyToClipboard(text: string) {
+	try {
+		await navigator.clipboard.writeText(text);
+		successToast($_("backup.copied"));
+	} catch (err) {
+		errToast($_("backup.copyFailed"));
+		console.error("Clipboard write failed", err);
+	}
+}
+</script>
+
+<div class="space-y-3">
+	<div>
+		<label
+			for="{idPrefix}-username"
+			class="mb-1 block text-xs font-semibold text-body dark:text-white/70"
+		>
+			{$_("backup.username")}
+		</label>
+		<div class="flex items-center gap-2">
+			<input
+				id="{idPrefix}-username"
+				type="text"
+				readonly
+				value={username}
+				class="w-full rounded-lg border border-gray-300 bg-gray-50 px-3 py-2 text-sm text-primary dark:border-white/20 dark:bg-white/5 dark:text-white"
+			/>
+			<button
+				type="button"
+				on:click={() => copyToClipboard(username)}
+				class="shrink-0 rounded-lg border border-gray-300 p-2 transition-colors hover:bg-gray-100 dark:border-white/20 dark:hover:bg-white/10"
+				title={$_("backup.copy")}
+			>
+				<Icon
+					type="material"
+					icon="content_copy"
+					w="16"
+					h="16"
+					class="text-primary dark:text-white"
+				/>
+			</button>
+		</div>
+	</div>
+	<div>
+		<label
+			for="{idPrefix}-password"
+			class="mb-1 block text-xs font-semibold text-body dark:text-white/70"
+		>
+			{$_("backup.password")}
+		</label>
+		<div class="flex items-center gap-2">
+			<input
+				id="{idPrefix}-password"
+				type={showPassword ? "text" : "password"}
+				readonly
+				value={password || $_("backup.unavailable")}
+				class="w-full rounded-lg border border-gray-300 bg-gray-50 px-3 py-2 text-sm text-primary dark:border-white/20 dark:bg-white/5 dark:text-white"
+			/>
+			<button
+				type="button"
+				on:click={() => (showPassword = !showPassword)}
+				class="shrink-0 rounded-lg border border-gray-300 p-2 transition-colors hover:bg-gray-100 dark:border-white/20 dark:hover:bg-white/10"
+				title={showPassword ? $_("backup.hide") : $_("backup.show")}
+			>
+				<Icon
+					type="material"
+					icon={showPassword ? "visibility_off" : "visibility"}
+					w="16"
+					h="16"
+					class="text-primary dark:text-white"
+				/>
+			</button>
+			{#if password}
+				<button
+					type="button"
+					on:click={() => copyToClipboard(password ?? "")}
+					class="shrink-0 rounded-lg border border-gray-300 p-2 transition-colors hover:bg-gray-100 dark:border-white/20 dark:hover:bg-white/10"
+					title={$_("backup.copy")}
+				>
+					<Icon
+						type="material"
+						icon="content_copy"
+						w="16"
+						h="16"
+						class="text-primary dark:text-white"
+					/>
+				</button>
+			{/if}
+		</div>
+	</div>
+</div>
+<p class="mt-4 text-xs text-body dark:text-white/50">
+	{$_("backup.warning")}
+</p>
diff --git a/src/components/auth/BackupModal.svelte b/src/components/auth/BackupModal.svelte
new file mode 100644
index 000000000..3d785336b
--- /dev/null
+++ b/src/components/auth/BackupModal.svelte
@@ -0,0 +1,21 @@
+<script lang="ts">
+import BackupCredentials from "$components/auth/BackupCredentials.svelte";
+import Modal from "$components/Modal.svelte";
+import { _ } from "$lib/i18n";
+import { session } from "$lib/session";
+
+export let open = false;
+</script>
+
+<Modal bind:open title={$_("backup.title")} titleId="backup-modal-title">
+	<p class="mb-4 text-sm text-body dark:text-white/70">
+		{$_("backup.description")}
+	</p>
+
+	{#if $session}
+		<BackupCredentials
+			username={$session.username}
+			password={$session.password}
+		/>
+	{/if}
+</Modal>
diff --git a/src/components/auth/LoginForm.svelte b/src/components/auth/LoginForm.svelte
new file mode 100644
index 000000000..36dd7f52b
--- /dev/null
+++ b/src/components/auth/LoginForm.svelte
@@ -0,0 +1,114 @@
+<script lang="ts">
+import { get } from "svelte/store";
+
+import api from "$lib/axios";
+import { _ } from "$lib/i18n";
+import type { Session } from "$lib/session";
+import { session } from "$lib/session";
+import { errToast } from "$lib/utils";
+
+// Caller receives the new session after a successful login. This keeps the
+// form reusable: /login navigates, the save-flow modal completes a pending
+// save, both without baking navigation/save logic into the form.
+export let onSuccess: (session: Session) => void | Promise<void>;
+
+// When true, render without the "Don't have an account?" link (e.g. inside
+// a modal that already frames the login choice).
+export let compact = false;
+
+let username = "";
+let password = "";
+let loading = false;
+
+async function handleSubmit() {
+	if (!username.trim() || !password) return;
+	loading = true;
+
+	try {
+		const res = await api.post("/api/session/login", {
+			username: username.trim(),
+			password,
+		});
+
+		const token = res.data?.token;
+		if (typeof token !== "string") {
+			throw new Error("Login did not return a token");
+		}
+
+		// Don't store the password — the user already knows their own credentials.
+		session.login(username.trim(), "", token);
+
+		// Pull the new session value so callers get a concrete Session object
+		// instead of having to subscribe.
+		const current = get(session);
+		if (!current) throw new Error("session.login did not populate the store");
+
+		await onSuccess(current);
+	} catch (err) {
+		const status = (err as { response?: { status?: number } })?.response
+			?.status;
+		errToast(status === 401 ? $_("login.failed") : $_("login.error"));
+		console.error("Login failed:", status ?? "unknown");
+	} finally {
+		loading = false;
+	}
+}
+</script>
+
+<form on:submit|preventDefault={handleSubmit} class="space-y-4">
+	<div>
+		<label
+			for="login-username"
+			class="mb-1 block text-sm font-semibold text-primary dark:text-white"
+		>
+			{$_("login.username")}
+		</label>
+		<input
+			id="login-username"
+			type="text"
+			bind:value={username}
+			autocomplete="username"
+			maxlength="100"
+			class="w-full rounded-lg border border-gray-300 bg-white px-3 py-2 text-primary dark:border-white/20 dark:bg-dark dark:text-white"
+		/>
+	</div>
+
+	<div>
+		<label
+			for="login-password"
+			class="mb-1 block text-sm font-semibold text-primary dark:text-white"
+		>
+			{$_("login.password")}
+		</label>
+		<input
+			id="login-password"
+			type="password"
+			bind:value={password}
+			autocomplete="current-password"
+			maxlength="200"
+			class="w-full rounded-lg border border-gray-300 bg-white px-3 py-2 text-primary dark:border-white/20 dark:bg-dark dark:text-white"
+		/>
+	</div>
+
+	<button
+		type="submit"
+		disabled={loading || !username.trim() || !password}
+		class="w-full rounded-lg bg-link px-4 py-2 font-semibold text-white transition-colors hover:bg-hover disabled:opacity-50"
+	>
+		{loading ? $_("login.loggingIn") : $_("login.submit")}
+	</button>
+</form>
+
+{#if !compact}
+	<p class="mt-4 text-center text-sm text-body dark:text-white/70">
+		{$_("login.noAccount")}
+		<a
+			href="https://developer.btcmap.org"
+			target="_blank"
+			rel="noopener noreferrer"
+			class="text-link transition-colors hover:text-hover"
+		>
+			{$_("login.createAccount")}
+		</a>
+	</p>
+{/if}
diff --git a/src/components/auth/SaveAuthPrompt.svelte b/src/components/auth/SaveAuthPrompt.svelte
new file mode 100644
index 000000000..9c5fa897d
--- /dev/null
+++ b/src/components/auth/SaveAuthPrompt.svelte
@@ -0,0 +1,177 @@
+<script lang="ts">
+import { createEventDispatcher } from "svelte";
+import { get } from "svelte/store";
+
+import BackupCredentials from "$components/auth/BackupCredentials.svelte";
+import LoginForm from "$components/auth/LoginForm.svelte";
+import Modal from "$components/Modal.svelte";
+import { _ } from "$lib/i18n";
+import type { SavedItemType } from "$lib/savedItems";
+import {
+	getSavedList,
+	hydrateSavedFromServer,
+	putSavedList,
+	setSavedList,
+} from "$lib/savedItems";
+import type { Session } from "$lib/session";
+import { session } from "$lib/session";
+import { errToast, successToast } from "$lib/utils";
+
+export let id: number;
+export let type: SavedItemType;
+export let open = false;
+
+const dispatch = createEventDispatcher<{
+	saved: undefined;
+	close: undefined;
+}>();
+
+type View = "choice" | "login" | "backup";
+let view: View = "choice";
+let creating = false;
+
+$: promptTitleKey =
+	type === "area" ? "save.prompt.titleArea" : "save.prompt.titlePlace";
+$: promptDescriptionKey =
+	type === "area"
+		? "save.prompt.descriptionArea"
+		: "save.prompt.descriptionPlace";
+$: accountCreatedKey =
+	type === "area" ? "save.accountCreatedArea" : "save.accountCreatedPlace";
+
+// Inline so Svelte's reactive dependency tracker picks up $_ lexically —
+// otherwise locale changes don't retitle the modal until `view` changes.
+$: title =
+	view === "backup"
+		? $_("backup.title")
+		: view === "login"
+			? $_("login.title")
+			: $_(promptTitleKey);
+
+// Reset view state whenever the modal is (re)opened/closed.
+$: if (!open) {
+	view = "choice";
+	creating = false;
+}
+
+async function performInitialSave(current: Session) {
+	const existing = getSavedList(current, type);
+	const nextList = existing.includes(id) ? existing : [...existing, id];
+	setSavedList(type, nextList);
+	try {
+		const serverList = await putSavedList(type, current.token, nextList);
+		setSavedList(type, serverList);
+		dispatch("saved");
+	} catch (err) {
+		setSavedList(type, existing);
+		errToast($_("merchant.saveFailed"));
+		console.error("SaveAuthPrompt.performInitialSave failed", err);
+		throw err;
+	}
+}
+
+async function handleCreateAccount() {
+	if (creating) return;
+	creating = true;
+	try {
+		const current = await session.signUp();
+		// If the user dismissed the modal while signUp was pending, don't
+		// mutate view/show toasts — that would leak "backup" view into the
+		// next open. The account still exists locally and can be backed up
+		// via the UserMenu.
+		if (!open) return;
+		// Commit the backup view before the save attempt so a failing save
+		// can't strand a new account without the user ever seeing their
+		// credentials. performInitialSave toasts on its own errors.
+		view = "backup";
+		successToast($_(accountCreatedKey));
+		await performInitialSave(current).catch(() => {});
+	} catch (err) {
+		console.error("SaveAuthPrompt.handleCreateAccount failed", err);
+		open = false;
+		dispatch("close");
+	} finally {
+		creating = false;
+	}
+}
+
+async function handleLoginSuccess(current: Session) {
+	try {
+		const hydrated = await hydrateSavedFromServer(current.token);
+
+		// Don't save on top of a failed hydrate for this type — the local list
+		// is stale and putSavedList would wipe the user's real server-side
+		// saved list, leaving only the pending id.
+		if (!hydrated[type]) {
+			errToast($_("merchant.saveFailed"));
+			return;
+		}
+
+		// Re-read the freshly populated session so performInitialSave sees the
+		// server-side saved lists and merges (not overwrites) the new id.
+		const refreshed = get(session);
+		if (!refreshed) throw new Error("session missing after login");
+
+		await performInitialSave(refreshed);
+		open = false;
+		dispatch("close");
+	} catch (err) {
+		console.error("SaveAuthPrompt.handleLoginSuccess failed", err);
+	}
+}
+
+function handleDone() {
+	open = false;
+	dispatch("close");
+}
+</script>
+
+<Modal bind:open {title} titleId="save-auth-prompt-title">
+	{#if view === "choice"}
+		<p class="mb-6 text-sm text-body dark:text-white/70">
+			{$_(promptDescriptionKey)}
+		</p>
+		<div class="space-y-3">
+			<button
+				type="button"
+				on:click={handleCreateAccount}
+				disabled={creating}
+				class="w-full rounded-lg bg-link px-4 py-2 font-semibold text-white transition-colors hover:bg-hover disabled:opacity-50"
+			>
+				{$_("save.prompt.createAccount")}
+			</button>
+			<button
+				type="button"
+				on:click={() => (view = "login")}
+				class="w-full rounded-lg border border-link px-4 py-2 font-semibold text-link transition-colors hover:bg-link/10"
+			>
+				{$_("save.prompt.login")}
+			</button>
+		</div>
+	{:else if view === "login"}
+		<LoginForm compact onSuccess={handleLoginSuccess} />
+		<button
+			type="button"
+			on:click={() => (view = "choice")}
+			class="mt-4 text-sm text-link transition-colors hover:text-hover"
+		>
+			← {$_("save.prompt.back")}
+		</button>
+	{:else if view === "backup" && $session}
+		<p class="mb-4 text-sm text-body dark:text-white/70">
+			{$_("backup.description")}
+		</p>
+		<BackupCredentials
+			idPrefix="save-prompt"
+			username={$session.username}
+			password={$session.password}
+		/>
+		<button
+			type="button"
+			on:click={handleDone}
+			class="mt-6 w-full rounded-lg bg-link px-4 py-2 font-semibold text-white transition-colors hover:bg-hover"
+		>
+			{$_("save.prompt.done")}
+		</button>
+	{/if}
+</Modal>
diff --git a/src/components/layout/Header.svelte b/src/components/layout/Header.svelte
index 5727857e3..5cdd3e9ae 100644
--- a/src/components/layout/Header.svelte
+++ b/src/components/layout/Header.svelte
@@ -1,12 +1,11 @@
 <script lang="ts">
-import Icon from "$components/Icon.svelte";
 import NavDropdownDesktop from "$components/layout/NavDropdownDesktop.svelte";
 import NavDropdownMobile from "$components/layout/NavDropdownMobile.svelte";
+import UserMenu from "$components/layout/UserMenu.svelte";
 import ThemeToggle from "$components/ThemeToggle.svelte";
 import { _ } from "$lib/i18n";
 import IconMobileNav from "$lib/icons/IconMobileNav.svelte";
 import type { MobileNavIconName } from "$lib/icons/types";
-import { session } from "$lib/session";
 import type { DropdownLink } from "$lib/types";
 
 import { afterNavigate } from "$app/navigation";
@@ -194,16 +193,7 @@ afterNavigate(() => {
 
 	<div class="flex items-center gap-3">
 		<ThemeToggle />
-		{#if $session}
-			<a
-				href="/saved"
-				class="text-white transition-opacity hover:opacity-80"
-				aria-label={$_("nav.saved")}
-				title={$_("nav.saved")}
-			>
-				<Icon type="material" icon="bookmark_filled" w="22" h="22" />
-			</a>
-		{/if}
+		<UserMenu id="user-menu-desktop" />
 	</div>
 </header>
 
@@ -219,16 +209,7 @@ afterNavigate(() => {
 
 	<div class="flex items-center space-x-4">
 		<ThemeToggle />
-		{#if $session}
-			<a
-				href="/saved"
-				class="text-white transition-opacity hover:opacity-80"
-				aria-label={$_("nav.saved")}
-				title={$_("nav.saved")}
-			>
-				<Icon type="material" icon="bookmark_filled" w="22" h="22" />
-			</a>
-		{/if}
+		<UserMenu id="user-menu-mobile" />
 
 		<!-- menu toggle -->
 		<button on:click={() => (showMobileMenu = !showMobileMenu)}>
diff --git a/src/components/layout/UserMenu.svelte b/src/components/layout/UserMenu.svelte
new file mode 100644
index 000000000..a72f2e5f4
--- /dev/null
+++ b/src/components/layout/UserMenu.svelte
@@ -0,0 +1,99 @@
+<script lang="ts">
+import OutClick from "svelte-outclick";
+
+import BackupModal from "$components/auth/BackupModal.svelte";
+import Icon from "$components/Icon.svelte";
+import { _ } from "$lib/i18n";
+import { session } from "$lib/session";
+
+import { afterNavigate } from "$app/navigation";
+
+export let id = "user-menu";
+
+let open = false;
+let showBackup = false;
+$: triggerId = `${id}-trigger`;
+
+afterNavigate(() => {
+	open = false;
+});
+</script>
+
+<div class="relative">
+	<button
+		type="button"
+		id={triggerId}
+		on:click={() => (open = !open)}
+		class="flex h-10 w-10 items-center justify-center text-white transition-opacity hover:opacity-80"
+		aria-label={$session?.username ?? $_("nav.account")}
+		title={$session?.username ?? $_("nav.account")}
+		aria-haspopup="true"
+		aria-expanded={open}
+	>
+		<Icon
+			type="material"
+			icon={$session ? 'account_circle_filled' : 'account_circle'}
+			w="24"
+			h="24"
+		/>
+	</button>
+
+	{#if open}
+		<OutClick
+			excludeQuerySelectorAll={`#${triggerId}`}
+			on:outclick={() => (open = false)}
+		>
+			<div
+				class="absolute right-0 top-full z-50 mt-2 w-48 rounded-lg border border-gray-300 bg-white py-1 shadow-lg dark:border-white/20 dark:bg-dark"
+			>
+				{#if $session}
+					<a
+						href="/user/saved"
+						class="flex items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
+					>
+						<Icon type="material" icon="bookmark" w="16" h="16" />
+						{$_("nav.mySaved")}
+					</a>
+
+					{#if $session.autoGenerated}
+						<button
+							type="button"
+							on:click={() => {
+								open = false;
+								showBackup = true;
+							}}
+							class="flex w-full items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
+						>
+							<Icon type="material" icon="key" w="16" h="16" />
+							{$_("nav.backupAccount")}
+						</button>
+					{/if}
+
+					<hr class="my-1 border-gray-200 dark:border-white/10" />
+
+					<button
+						type="button"
+						on:click={() => {
+							session.clear();
+							open = false;
+						}}
+						class="flex w-full items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
+					>
+						<Icon type="material" icon="logout" w="16" h="16" />
+						{$_("nav.logout")}
+					</button>
+				{:else}
+					<a
+						href="/login"
+						class="flex items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
+					>
+						<Icon type="material" icon="login" w="16" h="16" />
+						{$_("nav.login")}
+					</a>
+				{/if}
+			</div>
+		</OutClick>
+	{/if}
+</div>
+
+<BackupModal bind:open={showBackup} />
diff --git a/src/lib/i18n/locales/en.json b/src/lib/i18n/locales/en.json
index 86118cf2f..a78947a31 100644
--- a/src/lib/i18n/locales/en.json
+++ b/src/lib/i18n/locales/en.json
@@ -35,7 +35,12 @@
 		"taggingIssues": "Tagging Issues",
 		"communities": "Communities",
 		"countries": "Countries",
-		"saved": "Saved"
+		"saved": "Saved",
+		"mySaved": "My Saved",
+		"account": "Account",
+		"login": "Log in",
+		"logout": "Log out",
+		"backupAccount": "Back up account"
 	},
 	"saved": {
 		"title": "My Saved",
@@ -46,6 +51,44 @@
 		"noAreas": "No saved areas yet.",
 		"loadError": "Failed to load some saved items."
 	},
+	"login": {
+		"title": "Log in",
+		"username": "Username",
+		"password": "Password",
+		"submit": "Log in",
+		"loggingIn": "Logging in...",
+		"failed": "Invalid username or password.",
+		"error": "Something went wrong. Please try again.",
+		"noAccount": "Don't have an account?",
+		"createAccount": "Create one here"
+	},
+	"backup": {
+		"title": "Back up account",
+		"description": "Save these credentials to log in on another device.",
+		"username": "Username",
+		"password": "Password",
+		"copy": "Copy",
+		"show": "Show password",
+		"hide": "Hide password",
+		"unavailable": "Not available (old account)",
+		"warning": "These credentials are the only way to recover your saved places.",
+		"copied": "Copied to clipboard",
+		"copyFailed": "Copy failed — please copy manually"
+	},
+	"save": {
+		"accountCreatedPlace": "Account created — your saved places are stored on this device.",
+		"accountCreatedArea": "Account created — your saved areas are stored on this device.",
+		"prompt": {
+			"titlePlace": "Save this place",
+			"titleArea": "Save this area",
+			"descriptionPlace": "Log in to your existing account, or create a new one to keep your saved places.",
+			"descriptionArea": "Log in to your existing account, or create a new one to keep your saved areas.",
+			"createAccount": "Create account",
+			"login": "Log in",
+			"back": "Back",
+			"done": "Done"
+		}
+	},
 	"search": {
 		"placeholderWorldwide": "Search worldwide...",
 		"placeholderNearby": "Search nearby...",
diff --git a/src/lib/savedItems.ts b/src/lib/savedItems.ts
new file mode 100644
index 000000000..8e090899e
--- /dev/null
+++ b/src/lib/savedItems.ts
@@ -0,0 +1,81 @@
+import api from "$lib/axios";
+import type { Session } from "$lib/session";
+import { session } from "$lib/session";
+
+export type SavedItemType = "place" | "area";
+
+// SvelteKit server routes that proxy to the btcmap API (avoids CORS preflight).
+const PROXY_ENDPOINTS = {
+	place: "/api/session/saved-places",
+	area: "/api/session/saved-areas",
+} as const;
+
+export async function putSavedList(
+	type: SavedItemType,
+	token: string,
+	ids: number[],
+): Promise<number[]> {
+	const res = await api.put<number[]>(PROXY_ENDPOINTS[type], ids, {
+		headers: { Authorization: `Bearer ${token}` },
+	});
+	if (!Array.isArray(res.data)) {
+		throw new Error(
+			`PUT ${PROXY_ENDPOINTS[type]} returned an unexpected response`,
+		);
+	}
+	return res.data;
+}
+
+export function setSavedList(type: SavedItemType, ids: number[]) {
+	if (type === "place") {
+		session.setSavedPlaces(ids);
+	} else {
+		session.setSavedAreas(ids);
+	}
+}
+
+export function getSavedList(s: Session | null, type: SavedItemType): number[] {
+	if (!s) return [];
+	return type === "place" ? s.savedPlaces : s.savedAreas;
+}
+
+export function toggleSavedLocal(
+	type: SavedItemType,
+	id: number,
+): number[] | null {
+	return type === "place"
+		? session.toggleSavedPlace(id)
+		: session.toggleSavedArea(id);
+}
+
+export type HydrateResult = {
+	place: boolean;
+	area: boolean;
+};
+
+// Fetches the server-side saved-places and saved-areas lists and populates
+// the session store. Uses allSettled so one failing endpoint doesn't block
+// the other; returns per-type success so callers can avoid overwriting
+// server state with a stale local list when hydration failed.
+export async function hydrateSavedFromServer(
+	token: string,
+): Promise<HydrateResult> {
+	const headers = { Authorization: `Bearer ${token}` };
+	const [placesRes, areasRes] = await Promise.allSettled([
+		api.get(PROXY_ENDPOINTS.place, { headers }),
+		api.get(PROXY_ENDPOINTS.area, { headers }),
+	]);
+	const placeOk =
+		placesRes.status === "fulfilled" && Array.isArray(placesRes.value.data);
+	const areaOk =
+		areasRes.status === "fulfilled" && Array.isArray(areasRes.value.data);
+	if (placeOk) {
+		const ids = placesRes.value.data.map((p: { id: number }) => p.id);
+		session.setSavedPlaces(ids);
+	}
+	if (areaOk) {
+		const ids = areasRes.value.data.map((a: { id: number }) => a.id);
+		session.setSavedAreas(ids);
+	}
+	return { place: placeOk, area: areaOk };
+}
diff --git a/src/lib/session.test.ts b/src/lib/session.test.ts
index de36fad7a..031ad350d 100644
--- a/src/lib/session.test.ts
+++ b/src/lib/session.test.ts
@@ -20,11 +20,15 @@ async function createTestSession() {
 // pre-populated localStorage
 function seedStorage(data: {
 	username: string;
+	password?: string;
 	token: string;
 	savedPlaces: number[];
 	savedAreas?: number[];
 }) {
-	localStorage.setItem("btcmap_session", JSON.stringify(data));
+	localStorage.setItem(
+		"btcmap_session",
+		JSON.stringify({ password: "pw", autoGenerated: true, ...data }),
+	);
 }
 
 describe("session store", () => {
@@ -119,7 +123,6 @@ describe("session store", () => {
 
 	describe("loadFromStorage backfill", () => {
 		it("backfills savedAreas when missing from old session", async () => {
-			// Simulate an old session without savedAreas
 			localStorage.setItem(
 				"btcmap_session",
 				JSON.stringify({
@@ -136,6 +139,23 @@ describe("session store", () => {
 			expect(current?.savedPlaces).toEqual([1, 2]);
 		});
 
+		it("backfills password when missing from old session", async () => {
+			localStorage.setItem(
+				"btcmap_session",
+				JSON.stringify({
+					username: "old-user",
+					token: "old-tok",
+					savedPlaces: [1],
+					savedAreas: [],
+				}),
+			);
+			const session = await createTestSession();
+			session.init();
+
+			const current = get(session);
+			expect(current?.password).toBe("");
+		});
+
 		it("returns null for invalid data", async () => {
 			localStorage.setItem("btcmap_session", "not-json");
 			const session = await createTestSession();
diff --git a/src/lib/session.ts b/src/lib/session.ts
index 31ba7f30b..7be66fd29 100644
--- a/src/lib/session.ts
+++ b/src/lib/session.ts
@@ -10,18 +10,23 @@ import api from "$lib/axios";
 // they lose access to their saved items. A backup flow (set password, link
 // Nostr) will be added later.
 //
-// SECURITY — localStorage token blast radius:
-// Storing the Bearer token in localStorage is acceptable here ONLY because
-// the account is a throwaway with no recoverable data or PII. The token
-// grants access to its own saved_places/saved_areas and nothing else.
-// DO NOT reuse this pattern for real user accounts with durable data,
-// payment info, or elevated roles — an XSS would exfiltrate the token.
-// For real accounts, migrate to httpOnly cookies or similar.
+// SECURITY — localStorage blast radius:
+// The Bearer token is always stored in localStorage. The password is
+// stored only for auto-generated accounts (so the backup modal can
+// show it). Manual logins store an empty password — the user already
+// knows their credentials. An XSS could exfiltrate the token (and
+// the password for auto-generated accounts). This is acceptable for
+// throwaway accounts with only saved_places/saved_areas data.
+// DO NOT reuse this pattern for real user accounts
+// with durable data, payment info, or elevated roles. For real
+// accounts, migrate to httpOnly cookies or similar.
 export type Session = {
 	username: string;
+	password: string;
 	token: string;
 	savedPlaces: number[];
 	savedAreas: number[];
+	autoGenerated: boolean;
 };
 
 const STORAGE_KEY = "btcmap_session";
@@ -43,6 +48,17 @@ function loadFromStorage(): Session | null {
 		if (!Array.isArray(parsed.savedAreas)) {
 			parsed.savedAreas = [];
 		}
+		// Backfill password for sessions created before backup was available.
+		// Empty string means the password is lost — the user can still use
+		// their current token but can't back up or log in on another device.
+		if (typeof parsed.password !== "string") {
+			parsed.password = "";
+		}
+		// Backfill autoGenerated for old sessions — assume auto-generated
+		// since the login flow didn't exist when they were created.
+		if (typeof parsed.autoGenerated !== "boolean") {
+			parsed.autoGenerated = true;
+		}
 		return parsed as Session;
 	} catch {
 		return null;
@@ -83,9 +99,11 @@ function createSessionStore() {
 
 		const session: Session = {
 			username,
+			password,
 			token,
 			savedPlaces: [],
 			savedAreas: [],
+			autoGenerated: true,
 		};
 		saveToStorage(session);
 		set(session);
@@ -193,6 +211,21 @@ function createSessionStore() {
 			return result;
 		},
 
+		// Replace the current session with a different account (login flow).
+		// Saved items are populated separately after login.
+		login: (username: string, password: string, token: string) => {
+			const session: Session = {
+				username,
+				password,
+				token,
+				savedPlaces: [],
+				savedAreas: [],
+				autoGenerated: false,
+			};
+			saveToStorage(session);
+			set(session);
+		},
+
 		// Clear the session (logout / forget account). No recovery.
 		clear: () => {
 			saveToStorage(null);
diff --git a/src/routes/api/session/login/+server.ts b/src/routes/api/session/login/+server.ts
new file mode 100644
index 000000000..02a5dbac9
--- /dev/null
+++ b/src/routes/api/session/login/+server.ts
@@ -0,0 +1,42 @@
+import { error, json } from "@sveltejs/kit";
+
+import api from "$lib/axios";
+
+import type { RequestHandler } from "./$types";
+
+// POST /api/session/login
+// Authenticates with username + password and returns a Bearer token.
+// Proxies POST /v4/users/{username}/tokens to avoid CORS preflight issues.
+export const POST: RequestHandler = async ({ request }) => {
+	const body = await request.json();
+	const { username, password } = body;
+
+	if (!username || typeof username !== "string" || username.length > 100) {
+		error(400, "Missing or invalid username");
+	}
+	if (!password || typeof password !== "string" || password.length > 200) {
+		error(400, "Missing or invalid password");
+	}
+
+	const tokenRes = await api
+		.post(
+			`https://api.btcmap.org/v4/users/${encodeURIComponent(username)}/tokens`,
+			{},
+			{ headers: { Authorization: `Bearer ${password}` } },
+		)
+		.catch((err) => {
+			const status = err?.response?.status;
+			if (status === 401 || status === 403) {
+				error(401, "Invalid username or password");
+			}
+			console.error("Failed to create token:", err?.response?.status);
+			error(502, "Failed to log in");
+		});
+
+	const token = tokenRes.data?.token;
+	if (typeof token !== "string") {
+		error(502, "Token creation returned no token");
+	}
+
+	return json({ token });
+};
diff --git a/src/routes/login/+page.svelte b/src/routes/login/+page.svelte
new file mode 100644
index 000000000..87347098f
--- /dev/null
+++ b/src/routes/login/+page.svelte
@@ -0,0 +1,34 @@
+<script lang="ts">
+import { onMount } from "svelte";
+
+import LoginForm from "$components/auth/LoginForm.svelte";
+import { _ } from "$lib/i18n";
+import { hydrateSavedFromServer } from "$lib/savedItems";
+import type { Session } from "$lib/session";
+import { session } from "$lib/session";
+
+import { goto } from "$app/navigation";
+
+onMount(() => {
+	session.init();
+});
+
+async function handleSuccess(current: Session) {
+	await hydrateSavedFromServer(current.token);
+	goto("/user/saved");
+}
+</script>
+
+<svelte:head>
+	<title>{$_("login.title")} | BTC Map</title>
+</svelte:head>
+
+<div class="my-10 flex justify-center md:my-20">
+	<div class="w-full max-w-sm space-y-6">
+		<h1 class="text-center text-3xl font-semibold text-primary dark:text-white">
+			{$_("login.title")}
+		</h1>
+
+		<LoginForm onSuccess={handleSuccess} />
+	</div>
+</div>
diff --git a/src/routes/saved/+page.svelte b/src/routes/user/saved/+page.svelte
similarity index 99%
rename from src/routes/saved/+page.svelte
rename to src/routes/user/saved/+page.svelte
index 4b859e31c..d54473a5a 100644
--- a/src/routes/saved/+page.svelte
+++ b/src/routes/user/saved/+page.svelte
@@ -38,7 +38,7 @@ onMount(async () => {
 	session.init();
 
 	if (!$session) {
-		goto("/map");
+		goto("/login");
 		return;
 	}