diff --git a/app/(auth)/forgot-password/page.tsx b/app/(auth)/forgot-password/page.tsx
new file mode 100644
index 000000000..2965abf95
--- /dev/null
+++ b/app/(auth)/forgot-password/page.tsx
@@ -0,0 +1,143 @@
+"use client";
+
+import Link from "next/link";
+import { useState } from "react";
+import { z } from "zod";
+import { toast } from "sonner";
+
+import { Button } from "@/components/ui/button";
+import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
+import { cn } from "@/lib/utils";
+
+export default function ForgotPasswordPage() {
+  const [email, setEmail] = useState<string>("");
+  const [isLoading, setIsLoading] = useState<boolean>(false);
+  const [isSubmitted, setIsSubmitted] = useState<boolean>(false);
+
+  const emailSchema = z.string().email("Invalid email address").toLowerCase();
+  const emailValidation = emailSchema.safeParse(email);
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+
+    if (!emailValidation.success) {
+      toast.error(emailValidation.error.errors[0].message);
+      return;
+    }
+
+    setIsLoading(true);
+
+    try {
+      const response = await fetch("/api/auth/forgot-password", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ email: emailValidation.data }),
+      });
+
+      const data = await response.json();
+
+      if (response.ok) {
+        setIsSubmitted(true);
+        toast.success("If an account with this email exists, you will receive a password reset email.");
+      } else {
+        toast.error(data.error || "Something went wrong");
+      }
+    } catch (error) {
+      toast.error("Network error. Please try again.");
+    } finally {
+      setIsLoading(false);
+    }
+  };
+
+  if (isSubmitted) {
+    return (
+      <div className="flex h-screen w-full justify-center">
+        <div className="z-10 mx-5 mt-[calc(20vh)] h-fit w-full max-w-md overflow-hidden rounded-lg border border-border bg-gray-50 dark:bg-gray-900 sm:mx-0 sm:shadow-xl">
+          <div className="flex flex-col items-center justify-center space-y-3 px-4 py-6 pt-8 text-center sm:px-16">
+            <div className="mb-4">
+              <img
+                src="/_static/papermark-logo.svg"
+                alt="Papermark Logo"
+                className="h-8 w-auto"
+              />
+            </div>
+            <h3 className="text-2xl font-medium text-foreground">
+              Check your email
+            </h3>
+            <p className="text-sm text-gray-600 text-center">
+              If an account with the email <strong>{email}</strong> exists, we've sent you a password reset link.
+            </p>
+            <p className="text-sm text-gray-600">
+              The link will expire in 15 minutes for security reasons.
+            </p>
+            <div className="pt-4">
+              <Link href="/login" className="text-sm text-gray-900 underline hover:text-gray-700">
+                Back to sign in
+              </Link>
+            </div>
+          </div>
+        </div>
+      </div>
+    );
+  }
+
+  return (
+    <div className="flex h-screen w-full justify-center">
+      <div className="z-10 mx-5 mt-[calc(20vh)] h-fit w-full max-w-md overflow-hidden rounded-lg border border-border bg-gray-50 dark:bg-gray-900 sm:mx-0 sm:shadow-xl">
+        <div className="flex flex-col items-center justify-center space-y-3 px-4 py-6 pt-8 text-center sm:px-16">
+          <div className="mb-4">
+            <img
+              src="/_static/papermark-logo.svg"
+              alt="Papermark Logo"
+              className="h-8 w-auto"
+            />
+          </div>
+          <h3 className="text-2xl font-medium text-foreground">
+            Forgot your password?
+          </h3>
+          <p className="text-sm text-gray-600">
+            Enter your email address and we'll send you a link to reset your password.
+          </p>
+        </div>
+
+        <form
+          className="flex flex-col gap-4 p-4 pt-8 sm:px-16"
+          onSubmit={handleSubmit}
+        >
+          <div>
+            <Label htmlFor="email" className="sr-only">
+              Email
+            </Label>
+            <Input
+              id="email"
+              type="email"
+              placeholder="Enter your email"
+              value={email}
+              onChange={(e) => setEmail(e.target.value)}
+              disabled={isLoading}
+              className={cn(
+                "border-2",
+                email.length > 0 && !emailValidation.success ? "border-red-500" : ""
+              )}
+            />
+          </div>
+
+          <Button
+            type="submit"
+            disabled={isLoading || !emailValidation.success}
+            loading={isLoading}
+          >
+            Send reset link
+          </Button>
+
+          <div className="text-center">
+            <Link href="/login" className="text-sm text-gray-600 hover:text-gray-800 underline">
+              Back to sign in
+            </Link>
+          </div>
+        </form>
+      </div>
+    </div>
+  );
+}
\ No newline at end of file
diff --git a/app/(auth)/login/page-client.tsx b/app/(auth)/login/page-client.tsx
index 28eca7bb3..8b050685d 100644
--- a/app/(auth)/login/page-client.tsx
+++ b/app/(auth)/login/page-client.tsx
@@ -11,6 +11,8 @@ import { toast } from "sonner";
 import { z } from "zod";
 
 import { cn } from "@/lib/utils";
+import Eye from "@/components/shared/icons/eye";
+import EyeOff from "@/components/shared/icons/eye-off";
 
 import { LastUsed, useLastUsed } from "@/components/hooks/useLastUsed";
 import Google from "@/components/shared/icons/google";
@@ -25,15 +27,18 @@ export default function Login() {
   const { next } = useParams as { next?: string };
 
   const [lastUsed, setLastUsed] = useLastUsed();
-  const authMethods = ["google", "email", "linkedin", "passkey"] as const;
+  const authMethods = ["password", "google", "email", "linkedin", "passkey"] as const;
   type AuthMethod = (typeof authMethods)[number];
   const [clickedMethod, setClickedMethod] = useState<AuthMethod | undefined>(
     undefined,
   );
   const [email, setEmail] = useState<string>("");
+  const [password, setPassword] = useState<string>("");
   const [emailButtonText, setEmailButtonText] = useState<string>(
     "Continue with Email",
   );
+  const [showPassword, setShowPassword] = useState<boolean>(false);
+  const [isPasswordMode, setIsPasswordMode] = useState<boolean>(false);
 
   const emailSchema = z
     .string()
@@ -77,23 +82,46 @@ export default function Login() {
                 return;
               }
 
-              setClickedMethod("email");
-              signIn("email", {
-                email: emailValidation.data,
-                redirect: false,
-                ...(next && next.length > 0 ? { callbackUrl: next } : {}),
-              }).then((res) => {
-                if (res?.ok && !res?.error) {
-                  setEmail("");
-                  setLastUsed("credentials");
-                  setEmailButtonText("Email sent - check your inbox!");
-                  toast.success("Email sent - check your inbox!");
-                } else {
-                  setEmailButtonText("Error sending email - try again?");
-                  toast.error("Error sending email - try again?");
+              if (isPasswordMode) {
+                if (!password) {
+                  toast.error("Password is required");
+                  return;
                 }
-                setClickedMethod(undefined);
-              });
+                
+                setClickedMethod("password");
+                signIn("credentials", {
+                  email: emailValidation.data,
+                  password,
+                  redirect: false,
+                  ...(next && next.length > 0 ? { callbackUrl: next } : {}),
+                }).then((res) => {
+                  if (res?.ok && !res?.error) {
+                    setLastUsed("password");
+                    // Redirect will happen automatically
+                  } else {
+                    toast.error(res?.error || "Invalid credentials");
+                  }
+                  setClickedMethod(undefined);
+                });
+              } else {
+                setClickedMethod("email");
+                signIn("email", {
+                  email: emailValidation.data,
+                  redirect: false,
+                  ...(next && next.length > 0 ? { callbackUrl: next } : {}),
+                }).then((res) => {
+                  if (res?.ok && !res?.error) {
+                    setEmail("");
+                    setLastUsed("credentials");
+                    setEmailButtonText("Email sent - check your inbox!");
+                    toast.success("Email sent - check your inbox!");
+                  } else {
+                    setEmailButtonText("Error sending email - try again?");
+                    toast.error("Error sending email - try again?");
+                  }
+                  setClickedMethod(undefined);
+                });
+              }
             }}
           >
             <Label className="sr-only" htmlFor="email">
@@ -117,22 +145,82 @@ export default function Login() {
                   : "ring-gray-200",
               )}
             />
+            
+            {isPasswordMode && (
+              <div className="relative">
+                <Label className="sr-only" htmlFor="password">
+                  Password
+                </Label>
+                <Input
+                  id="password"
+                  placeholder="Enter your password"
+                  type={showPassword ? "text" : "password"}
+                  autoComplete="current-password"
+                  disabled={clickedMethod === "password"}
+                  value={password}
+                  onChange={(e) => setPassword(e.target.value)}
+                  className={cn(
+                    "flex h-10 w-full rounded-md border-0 bg-background bg-white px-3 py-2 text-sm text-gray-900 ring-1 ring-gray-200 transition-colors file:border-0 file:bg-transparent file:text-sm file:font-medium placeholder:text-muted-foreground focus-visible:outline-none focus-visible:ring-1 focus-visible:ring-ring disabled:cursor-not-allowed disabled:opacity-50 dark:bg-white",
+                  )}
+                />
+                <button
+                  type="button"
+                  onClick={() => setShowPassword(!showPassword)}
+                  className="absolute inset-y-0 right-0 flex items-center pr-3"
+                >
+                  {showPassword ? (
+                    <Eye className="h-4 w-4 text-muted-foreground" aria-hidden="true" />
+                  ) : (
+                    <EyeOff className="h-4 w-4 text-muted-foreground" aria-hidden="true" />
+                  )}
+                </button>
+              </div>
+            )}
+
             <div className="relative">
               <Button
                 type="submit"
-                loading={clickedMethod === "email"}
-                disabled={!emailValidation.success || !!clickedMethod}
+                loading={clickedMethod === "email" || clickedMethod === "password"}
+                disabled={!emailValidation.success || (isPasswordMode && !password) || !!clickedMethod}
                 className={cn(
                   "focus:shadow-outline w-full transform rounded px-4 py-2 text-white transition-colors duration-300 ease-in-out focus:outline-none",
-                  clickedMethod === "email"
+                  clickedMethod === "email" || clickedMethod === "password"
                     ? "bg-black"
                     : "bg-gray-800 hover:bg-gray-900",
                 )}
               >
-                {emailButtonText}
+                {isPasswordMode ? "Sign In" : emailButtonText}
               </Button>
-              {lastUsed === "credentials" && <LastUsed />}
+              {(lastUsed === "credentials" || lastUsed === "password") && <LastUsed />}
             </div>
+
+            {isPasswordMode && (
+              <div className="text-center">
+                <button
+                  type="button"
+                  onClick={() => setIsPasswordMode(false)}
+                  className="text-sm text-gray-600 hover:text-gray-800 underline"
+                >
+                  Use magic link instead
+                </button>
+                <span className="mx-2 text-gray-400">|</span>
+                <Link href="/forgot-password" className="text-sm text-gray-600 hover:text-gray-800 underline">
+                  Forgot password?
+                </Link>
+              </div>
+            )}
+
+            {!isPasswordMode && (
+              <div className="text-center">
+                <button
+                  type="button"
+                  onClick={() => setIsPasswordMode(true)}
+                  className="text-sm text-gray-600 hover:text-gray-800 underline"
+                >
+                  Use password instead
+                </button>
+              </div>
+            )}
           </form>
           <p className="py-4 text-center">or</p>
           <div className="flex flex-col space-y-2 px-4 sm:px-12">
@@ -202,6 +290,15 @@ export default function Login() {
               </Button>
             </div>
           </div>
+          <div className="mt-6 text-center">
+            <p className="text-sm text-gray-600">
+              Don't have an account?{" "}
+              <Link href="/register" className="font-medium text-gray-900 underline hover:text-gray-700">
+                Sign up
+              </Link>
+            </p>
+          </div>
+          
           <p className="mt-10 w-full max-w-md px-4 text-xs text-muted-foreground sm:px-12">
             By clicking continue, you acknowledge that you have read and agree
             to Papermark&apos;s{" "}
diff --git a/app/(auth)/register/page-client.tsx b/app/(auth)/register/page-client.tsx
index 74ed3887f..38b128263 100644
--- a/app/(auth)/register/page-client.tsx
+++ b/app/(auth)/register/page-client.tsx
@@ -5,19 +5,39 @@ import Link from "next/link";
 import { useParams } from "next/navigation";
 
 import { useState } from "react";
+import { z } from "zod";
 
 import PapermarkLogo from "@/public/_static/papermark-logo.svg";
 import { signIn } from "next-auth/react";
 import { toast } from "sonner";
 
+import Eye from "@/components/shared/icons/eye";
+import EyeOff from "@/components/shared/icons/eye-off";
 import LinkedIn from "@/components/shared/icons/linkedin";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
+import { cn } from "@/lib/utils";
 
 export default function Register() {
   const { next } = useParams as { next?: string };
 
   const [email, setEmail] = useState<string>("");
+  const [name, setName] = useState<string>("");
+  const [password, setPassword] = useState<string>("");
+  const [showPassword, setShowPassword] = useState<boolean>(false);
+  const [verificationCode, setVerificationCode] = useState<string>("");
+  const [isLoading, setIsLoading] = useState<boolean>(false);
+  const [step, setStep] = useState<'signup' | 'verify'>('signup');
+  const [usePassword, setUsePassword] = useState<boolean>(true);
+
+  const emailSchema = z.string().email("Invalid email address").toLowerCase();
+  const nameSchema = z.string().min(1, "Name is required").max(50, "Name too long");
+  const passwordSchema = z.string().min(8, "Password must be at least 8 characters");
+
+  const emailValidation = emailSchema.safeParse(email);
+  const nameValidation = nameSchema.safeParse(name);
+  const passwordValidation = passwordSchema.safeParse(password);
 
   return (
     <div className="flex h-screen w-full justify-center">
@@ -47,64 +67,279 @@ export default function Register() {
             Start sharing documents
           </h3>
         </div>
-        <form
-          className="flex flex-col gap-4 p-4 pt-8 sm:px-16"
-          onSubmit={(e) => {
-            e.preventDefault();
-            signIn("email", {
-              email: email,
-              redirect: false,
-              ...(next && next.length > 0 ? { callbackUrl: next } : {}),
-            }).then((res) => {
-              if (res?.ok && !res?.error) {
-                setEmail("");
-                toast.success("Email sent - check your inbox!");
-              } else {
-                toast.error("Error sending email - try again?");
-              }
-            });
-          }}
-        >
-          <Input
-            className="border-4"
-            placeholder="jsmith@company.co"
-            value={email}
-            onChange={(e) => setEmail(e.target.value)}
-          />
-          <Button type="submit">Continue with Email</Button>
-        </form>
-        <p className="text-center">or</p>
-        <div className="flex flex-col space-y-2 px-4 py-8 sm:px-16">
-          <Button
-            onClick={() => {
-              signIn("google", {
-                ...(next && next.length > 0 ? { callbackUrl: next } : {}),
-              });
-            }}
-            className="flex items-center justify-center space-x-2"
-          >
-            <svg
-              xmlns="http://www.w3.org/2000/svg"
-              viewBox="0 0 488 512"
-              fill="currentColor"
-              className="h-4 w-4"
+        {step === 'signup' && (
+          <>
+            {usePassword ? (
+              <form
+                className="flex flex-col gap-4 p-4 pt-8 sm:px-16"
+                onSubmit={async (e) => {
+                  e.preventDefault();
+                  
+                  if (!nameValidation.success) {
+                    toast.error(nameValidation.error.errors[0].message);
+                    return;
+                  }
+                  
+                  if (!emailValidation.success) {
+                    toast.error(emailValidation.error.errors[0].message);
+                    return;
+                  }
+                  
+                  if (!passwordValidation.success) {
+                    toast.error(passwordValidation.error.errors[0].message);
+                    return;
+                  }
+
+                  setIsLoading(true);
+
+                  try {
+                    const response = await fetch("/api/auth/signup", {
+                      method: "POST",
+                      headers: { "Content-Type": "application/json" },
+                      body: JSON.stringify({ name, email, password }),
+                    });
+
+                    const data = await response.json();
+
+                    if (response.ok) {
+                      toast.success("Account created! Please check your email for verification code.");
+                      setStep('verify');
+                    } else {
+                      toast.error(data.error || "Something went wrong");
+                    }
+                  } catch (error) {
+                    toast.error("Network error. Please try again.");
+                  } finally {
+                    setIsLoading(false);
+                  }
+                }}
+              >
+                <div>
+                  <Label htmlFor="name" className="sr-only">Name</Label>
+                  <Input
+                    id="name"
+                    placeholder="Your full name"
+                    value={name}
+                    onChange={(e) => setName(e.target.value)}
+                    disabled={isLoading}
+                    className={cn(
+                      "border-2",
+                      name.length > 0 && !nameValidation.success ? "border-red-500" : ""
+                    )}
+                  />
+                </div>
+
+                <div>
+                  <Label htmlFor="email" className="sr-only">Email</Label>
+                  <Input
+                    id="email"
+                    type="email"
+                    placeholder="jsmith@company.co"
+                    value={email}
+                    onChange={(e) => setEmail(e.target.value)}
+                    disabled={isLoading}
+                    className={cn(
+                      "border-2",
+                      email.length > 0 && !emailValidation.success ? "border-red-500" : ""
+                    )}
+                  />
+                </div>
+
+                <div className="relative">
+                  <Label htmlFor="password" className="sr-only">Password</Label>
+                  <Input
+                    id="password"
+                    type={showPassword ? "text" : "password"}
+                    placeholder="Create a password (8+ characters)"
+                    value={password}
+                    onChange={(e) => setPassword(e.target.value)}
+                    disabled={isLoading}
+                    className={cn(
+                      "border-2 pr-10",
+                      password.length > 0 && !passwordValidation.success ? "border-red-500" : ""
+                    )}
+                  />
+                  <button
+                    type="button"
+                    onClick={() => setShowPassword(!showPassword)}
+                    className="absolute inset-y-0 right-0 flex items-center pr-3"
+                  >
+                    {showPassword ? (
+                      <Eye className="h-4 w-4 text-muted-foreground" aria-hidden="true" />
+                    ) : (
+                      <EyeOff className="h-4 w-4 text-muted-foreground" aria-hidden="true" />
+                    )}
+                  </button>
+                </div>
+
+                <Button 
+                  type="submit" 
+                  disabled={isLoading || !nameValidation.success || !emailValidation.success || !passwordValidation.success}
+                  loading={isLoading}
+                >
+                  Create Account
+                </Button>
+              </form>
+            ) : (
+              <form
+                className="flex flex-col gap-4 p-4 pt-8 sm:px-16"
+                onSubmit={(e) => {
+                  e.preventDefault();
+                  signIn("email", {
+                    email: email,
+                    redirect: false,
+                    ...(next && next.length > 0 ? { callbackUrl: next } : {}),
+                  }).then((res) => {
+                    if (res?.ok && !res?.error) {
+                      setEmail("");
+                      toast.success("Email sent - check your inbox!");
+                    } else {
+                      toast.error("Error sending email - try again?");
+                    }
+                  });
+                }}
+              >
+                <Input
+                  className="border-2"
+                  placeholder="jsmith@company.co"
+                  value={email}
+                  onChange={(e) => setEmail(e.target.value)}
+                />
+                <Button type="submit">Continue with Email</Button>
+              </form>
+            )}
+
+            <div className="text-center px-4 sm:px-16">
+              <button
+                type="button"
+                onClick={() => setUsePassword(!usePassword)}
+                className="text-sm text-gray-600 hover:text-gray-800 underline"
+              >
+                {usePassword ? "Use magic link instead" : "Use password instead"}
+              </button>
+            </div>
+          </>
+        )}
+
+        {step === 'verify' && (
+          <div className="p-4 pt-8 sm:px-16">
+            <div className="text-center mb-6">
+              <h4 className="text-lg font-medium text-foreground mb-2">Verify your email</h4>
+              <p className="text-sm text-gray-600">
+                We sent a 6-digit code to <strong>{email}</strong>
+              </p>
+            </div>
+
+            <form
+              className="flex flex-col gap-4"
+              onSubmit={async (e) => {
+                e.preventDefault();
+                
+                if (verificationCode.length !== 6) {
+                  toast.error("Please enter a 6-digit verification code");
+                  return;
+                }
+
+                setIsLoading(true);
+
+                try {
+                  const response = await fetch("/api/auth/verify-email", {
+                    method: "POST",
+                    headers: { "Content-Type": "application/json" },
+                    body: JSON.stringify({ email, code: verificationCode }),
+                  });
+
+                  const data = await response.json();
+
+                  if (response.ok) {
+                    toast.success("Email verified! You can now sign in.");
+                    // Redirect to login page
+                    window.location.href = "/login" + (next ? `?next=${encodeURIComponent(next)}` : "");
+                  } else {
+                    toast.error(data.error || "Invalid verification code");
+                  }
+                } catch (error) {
+                  toast.error("Network error. Please try again.");
+                } finally {
+                  setIsLoading(false);
+                }
+              }}
             >
-              <path d="M488 261.8C488 403.3 391.1 504 248 504 110.8 504 0 393.2 0 256S110.8 8 248 8c66.8 0 123 24.5 166.3 64.9l-67.5 64.9C258.5 52.6 94.3 116.6 94.3 256c0 86.5 69.1 156.6 153.7 156.6 98.2 0 135-70.4 140.8-106.9H248v-85.3h236.1c2.3 12.7 3.9 24.9 3.9 41.4z" />
-            </svg>
-            <span>Continue with Google</span>
-          </Button>
-          <Button
-            onClick={() => {
-              signIn("linkedin", {
-                ...(next && next.length > 0 ? { callbackUrl: next } : {}),
-              });
-            }}
-            className="flex items-center justify-center space-x-2"
-          >
-            <LinkedIn />
-            <span>Continue with LinkedIn</span>
-          </Button>
-        </div>
+              <div>
+                <Label htmlFor="verificationCode" className="sr-only">Verification Code</Label>
+                <Input
+                  id="verificationCode"
+                  placeholder="Enter 6-digit code"
+                  value={verificationCode}
+                  onChange={(e) => setVerificationCode(e.target.value.replace(/\D/g, '').slice(0, 6))}
+                  disabled={isLoading}
+                  className="border-2 text-center text-lg tracking-widest"
+                  maxLength={6}
+                />
+              </div>
+
+              <Button type="submit" disabled={isLoading || verificationCode.length !== 6} loading={isLoading}>
+                Verify Email
+              </Button>
+
+              <div className="text-center">
+                <button
+                  type="button"
+                  onClick={() => setStep('signup')}
+                  className="text-sm text-gray-600 hover:text-gray-800 underline"
+                >
+                  Back to sign up
+                </button>
+              </div>
+            </form>
+          </div>
+        )}
+
+        {step === 'signup' && (
+          <>
+            <p className="text-center">or</p>
+            <div className="flex flex-col space-y-2 px-4 py-8 sm:px-16">
+              <Button
+                onClick={() => {
+                  signIn("google", {
+                    ...(next && next.length > 0 ? { callbackUrl: next } : {}),
+                  });
+                }}
+                className="flex items-center justify-center space-x-2"
+              >
+                <svg
+                  xmlns="http://www.w3.org/2000/svg"
+                  viewBox="0 0 488 512"
+                  fill="currentColor"
+                  className="h-4 w-4"
+                >
+                  <path d="M488 261.8C488 403.3 391.1 504 248 504 110.8 504 0 393.2 0 256S110.8 8 248 8c66.8 0 123 24.5 166.3 64.9l-67.5 64.9C258.5 52.6 94.3 116.6 94.3 256c0 86.5 69.1 156.6 153.7 156.6 98.2 0 135-70.4 140.8-106.9H248v-85.3h236.1c2.3 12.7 3.9 24.9 3.9 41.4z" />
+                </svg>
+                <span>Continue with Google</span>
+              </Button>
+              <Button
+                onClick={() => {
+                  signIn("linkedin", {
+                    ...(next && next.length > 0 ? { callbackUrl: next } : {}),
+                  });
+                }}
+                className="flex items-center justify-center space-x-2"
+              >
+                <LinkedIn />
+                <span>Continue with LinkedIn</span>
+              </Button>
+            </div>
+
+            <div className="text-center px-4 sm:px-16">
+              <p className="text-sm text-gray-600">
+                Already have an account?{" "}
+                <Link href="/login" className="font-medium text-gray-900 underline hover:text-gray-700">
+                  Sign in
+                </Link>
+              </p>
+            </div>
+          </>
+        )}
       </div>
     </div>
   );
diff --git a/app/(auth)/reset-password/page.tsx b/app/(auth)/reset-password/page.tsx
new file mode 100644
index 000000000..0e81892b4
--- /dev/null
+++ b/app/(auth)/reset-password/page.tsx
@@ -0,0 +1,222 @@
+"use client";
+
+import Link from "next/link";
+import { useRouter, useSearchParams } from "next/navigation";
+import { useState, useEffect } from "react";
+import { z } from "zod";
+import { toast } from "sonner";
+
+import { Button } from "@/components/ui/button";
+import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
+import Eye from "@/components/shared/icons/eye";
+import EyeOff from "@/components/shared/icons/eye-off";
+import { cn } from "@/lib/utils";
+
+export default function ResetPasswordPage() {
+  const router = useRouter();
+  const searchParams = useSearchParams();
+  const token = searchParams.get("token");
+
+  const [password, setPassword] = useState<string>("");
+  const [confirmPassword, setConfirmPassword] = useState<string>("");
+  const [showPassword, setShowPassword] = useState<boolean>(false);
+  const [showConfirmPassword, setShowConfirmPassword] = useState<boolean>(false);
+  const [isLoading, setIsLoading] = useState<boolean>(false);
+  const [isSuccess, setIsSuccess] = useState<boolean>(false);
+
+  const passwordSchema = z.string().min(8, "Password must be at least 8 characters");
+  const passwordValidation = passwordSchema.safeParse(password);
+  const passwordsMatch = password === confirmPassword && confirmPassword.length > 0;
+
+  useEffect(() => {
+    if (!token) {
+      router.push("/forgot-password");
+    }
+  }, [token, router]);
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+
+    if (!passwordValidation.success) {
+      toast.error(passwordValidation.error.errors[0].message);
+      return;
+    }
+
+    if (!passwordsMatch) {
+      toast.error("Passwords do not match");
+      return;
+    }
+
+    if (!token) {
+      toast.error("Invalid reset token");
+      return;
+    }
+
+    setIsLoading(true);
+
+    try {
+      const response = await fetch("/api/auth/reset-password", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ token, password }),
+      });
+
+      const data = await response.json();
+
+      if (response.ok) {
+        setIsSuccess(true);
+        toast.success("Password reset successfully!");
+      } else {
+        toast.error(data.error || "Something went wrong");
+      }
+    } catch (error) {
+      toast.error("Network error. Please try again.");
+    } finally {
+      setIsLoading(false);
+    }
+  };
+
+  if (!token) {
+    return (
+      <div className="flex h-screen w-full justify-center items-center">
+        <div className="text-center">
+          <p className="text-gray-600">Invalid or missing reset token</p>
+          <Link href="/forgot-password" className="text-blue-600 underline">
+            Request a new password reset
+          </Link>
+        </div>
+      </div>
+    );
+  }
+
+  if (isSuccess) {
+    return (
+      <div className="flex h-screen w-full justify-center">
+        <div className="z-10 mx-5 mt-[calc(20vh)] h-fit w-full max-w-md overflow-hidden rounded-lg border border-border bg-gray-50 dark:bg-gray-900 sm:mx-0 sm:shadow-xl">
+          <div className="flex flex-col items-center justify-center space-y-3 px-4 py-6 pt-8 text-center sm:px-16">
+            <div className="mb-4">
+              <img
+                src="/_static/papermark-logo.svg"
+                alt="Papermark Logo"
+                className="h-8 w-auto"
+              />
+            </div>
+            <h3 className="text-2xl font-medium text-foreground">
+              Password reset successful!
+            </h3>
+            <p className="text-sm text-gray-600">
+              Your password has been successfully reset. You can now sign in with your new password.
+            </p>
+            <div className="pt-4">
+              <Button asChild>
+                <Link href="/login">
+                  Sign in
+                </Link>
+              </Button>
+            </div>
+          </div>
+        </div>
+      </div>
+    );
+  }
+
+  return (
+    <div className="flex h-screen w-full justify-center">
+      <div className="z-10 mx-5 mt-[calc(20vh)] h-fit w-full max-w-md overflow-hidden rounded-lg border border-border bg-gray-50 dark:bg-gray-900 sm:mx-0 sm:shadow-xl">
+        <div className="flex flex-col items-center justify-center space-y-3 px-4 py-6 pt-8 text-center sm:px-16">
+          <div className="mb-4">
+            <img
+              src="/_static/papermark-logo.svg"
+              alt="Papermark Logo"
+              className="h-8 w-auto"
+            />
+          </div>
+          <h3 className="text-2xl font-medium text-foreground">
+            Set new password
+          </h3>
+          <p className="text-sm text-gray-600">
+            Enter your new password below.
+          </p>
+        </div>
+
+        <form
+          className="flex flex-col gap-4 p-4 pt-8 sm:px-16"
+          onSubmit={handleSubmit}
+        >
+          <div className="relative">
+            <Label htmlFor="password" className="sr-only">
+              New Password
+            </Label>
+            <Input
+              id="password"
+              type={showPassword ? "text" : "password"}
+              placeholder="Enter new password (8+ characters)"
+              value={password}
+              onChange={(e) => setPassword(e.target.value)}
+              disabled={isLoading}
+              className={cn(
+                "border-2 pr-10",
+                password.length > 0 && !passwordValidation.success ? "border-red-500" : ""
+              )}
+            />
+            <button
+              type="button"
+              onClick={() => setShowPassword(!showPassword)}
+              className="absolute inset-y-0 right-0 flex items-center pr-3"
+            >
+              {showPassword ? (
+                <Eye className="h-4 w-4 text-muted-foreground" aria-hidden="true" />
+              ) : (
+                <EyeOff className="h-4 w-4 text-muted-foreground" aria-hidden="true" />
+              )}
+            </button>
+          </div>
+
+          <div className="relative">
+            <Label htmlFor="confirmPassword" className="sr-only">
+              Confirm Password
+            </Label>
+            <Input
+              id="confirmPassword"
+              type={showConfirmPassword ? "text" : "password"}
+              placeholder="Confirm new password"
+              value={confirmPassword}
+              onChange={(e) => setConfirmPassword(e.target.value)}
+              disabled={isLoading}
+              className={cn(
+                "border-2 pr-10",
+                confirmPassword.length > 0 && !passwordsMatch ? "border-red-500" : ""
+              )}
+            />
+            <button
+              type="button"
+              onClick={() => setShowConfirmPassword(!showConfirmPassword)}
+              className="absolute inset-y-0 right-0 flex items-center pr-3"
+            >
+              {showConfirmPassword ? (
+                <Eye className="h-4 w-4 text-muted-foreground" aria-hidden="true" />
+              ) : (
+                <EyeOff className="h-4 w-4 text-muted-foreground" aria-hidden="true" />
+              )}
+            </button>
+          </div>
+
+          <Button
+            type="submit"
+            disabled={isLoading || !passwordValidation.success || !passwordsMatch}
+            loading={isLoading}
+          >
+            Reset password
+          </Button>
+
+          <div className="text-center">
+            <Link href="/login" className="text-sm text-gray-600 hover:text-gray-800 underline">
+              Back to sign in
+            </Link>
+          </div>
+        </form>
+      </div>
+    </div>
+  );
+}
\ No newline at end of file
diff --git a/components/emails/password-reset.tsx b/components/emails/password-reset.tsx
new file mode 100644
index 000000000..477179c5d
--- /dev/null
+++ b/components/emails/password-reset.tsx
@@ -0,0 +1,86 @@
+import React from "react";
+
+import {
+  Body,
+  Button,
+  Container,
+  Head,
+  Heading,
+  Html,
+  Preview,
+  Section,
+  Tailwind,
+  Text,
+} from "@react-email/components";
+
+export default function PasswordResetEmail({
+  resetUrl = "https://papermark.com/reset-password?token=example",
+  name = "User",
+}: {
+  resetUrl: string;
+  name: string;
+}) {
+  const previewText = `Reset your Papermark password`;
+
+  return (
+    <Html>
+      <Head />
+      <Preview>{previewText}</Preview>
+      <Tailwind>
+        <Body className="mx-auto my-auto bg-white font-sans">
+          <Container className="mx-auto my-[40px] w-[465px] rounded border border-solid border-[#eaeaea] p-[20px]">
+            <Section className="mt-[32px]">
+              <Text className="mx-0 mb-8 mt-4 p-0 text-center text-2xl font-normal">
+                <span className="font-bold tracking-tighter">Papermark</span>
+              </Text>
+            </Section>
+
+            <Heading className="mx-0 my-[30px] p-0 text-center text-[24px] font-normal text-black">
+              Reset your password
+            </Heading>
+
+            <Text className="text-[14px] leading-[24px] text-black">
+              Hello {name},
+            </Text>
+
+            <Text className="text-[14px] leading-[24px] text-black">
+              We received a request to reset your password for your Papermark account.
+            </Text>
+
+            <Text className="text-[14px] leading-[24px] text-black">
+              Click the button below to set a new password:
+            </Text>
+
+            <Section className="mb-[32px] mt-[32px] text-center">
+              <Button
+                className="rounded bg-black px-5 py-3 text-center text-[12px] font-semibold text-white no-underline"
+                href={resetUrl}
+              >
+                Reset Password
+              </Button>
+            </Section>
+
+            <Text className="text-[14px] leading-[24px] text-black">
+              If you didn't request this password reset, you can safely ignore this email.
+              This link will expire in 15 minutes for security reasons.
+            </Text>
+
+            <Text className="text-[14px] leading-[24px] text-black">
+              If the button doesn't work, you can also copy and paste the following link into your browser:
+            </Text>
+
+            <Text className="text-[12px] leading-[20px] text-gray-500 break-all">
+              {resetUrl}
+            </Text>
+
+            <Text className="text-[14px] leading-[24px] text-black">
+              Best regards,
+              <br />
+              The Papermark Team
+            </Text>
+          </Container>
+        </Body>
+      </Tailwind>
+    </Html>
+  );
+}
\ No newline at end of file
diff --git a/lib/emails/send-password-reset.ts b/lib/emails/send-password-reset.ts
new file mode 100644
index 000000000..61faf4cc7
--- /dev/null
+++ b/lib/emails/send-password-reset.ts
@@ -0,0 +1,29 @@
+import { sendEmail } from "@/lib/resend";
+
+import PasswordResetEmail from "@/components/emails/password-reset";
+
+export const sendPasswordResetEmail = async ({
+  email,
+  resetUrl,
+  name,
+}: {
+  email: string;
+  resetUrl: string;
+  name: string;
+}) => {
+  const emailTemplate = PasswordResetEmail({
+    resetUrl,
+    name,
+  });
+
+  try {
+    await sendEmail({
+      to: email,
+      subject: "Reset your Papermark password",
+      react: emailTemplate,
+      test: process.env.NODE_ENV === "development",
+    });
+  } catch (e) {
+    console.error(e);
+  }
+};
\ No newline at end of file
diff --git a/pages/account/security.tsx b/pages/account/security.tsx
index adb9cc02b..f21efde8f 100644
--- a/pages/account/security.tsx
+++ b/pages/account/security.tsx
@@ -1,15 +1,19 @@
 import { NextPage } from "next";
 
-import { useState } from "react";
+import { useState, useEffect } from "react";
+import { z } from "zod";
 
 import {
   type CredentialCreationOptionsJSON,
   create,
 } from "@github/webauthn-json";
-import { Trash2 } from "lucide-react";
+import { Trash2, Lock } from "lucide-react";
 import { toast } from "sonner";
 
 import { usePasskeys } from "@/lib/swr/use-passkeys";
+import Eye from "@/components/shared/icons/eye";
+import EyeOff from "@/components/shared/icons/eye-off";
+import { cn } from "@/lib/utils";
 
 import { AccountHeader } from "@/components/account/account-header";
 import AppLayout from "@/components/layouts/app";
@@ -26,11 +30,120 @@ import {
   AlertDialogTrigger,
 } from "@/components/ui/alert-dialog";
 import { Button } from "@/components/ui/button";
+import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
 
 const ProfilePage: NextPage = () => {
   const [isLoading, setIsLoading] = useState(false);
   const { passkeys, loading: isLoadingPasskeys, mutate } = usePasskeys();
 
+  // Password management state
+  const [hasPassword, setHasPassword] = useState<boolean | null>(null);
+  const [isPasswordLoading, setIsPasswordLoading] = useState(false);
+  const [currentPassword, setCurrentPassword] = useState("");
+  const [newPassword, setNewPassword] = useState("");
+  const [confirmPassword, setConfirmPassword] = useState("");
+  const [showCurrentPassword, setShowCurrentPassword] = useState(false);
+  const [showNewPassword, setShowNewPassword] = useState(false);
+  const [showConfirmPassword, setShowConfirmPassword] = useState(false);
+
+  const passwordSchema = z.string().min(8, "Password must be at least 8 characters");
+  const passwordValidation = passwordSchema.safeParse(newPassword);
+  const passwordsMatch = newPassword === confirmPassword && confirmPassword.length > 0;
+
+  // Check if user has password set
+  useEffect(() => {
+    async function checkPasswordStatus() {
+      try {
+        const response = await fetch("/api/account/password");
+        const data = await response.json();
+        setHasPassword(data.hasPassword);
+      } catch (error) {
+        console.error("Error checking password status:", error);
+      }
+    }
+    checkPasswordStatus();
+  }, []);
+
+  async function setPassword() {
+    if (!passwordValidation.success) {
+      toast.error(passwordValidation.error.errors[0].message);
+      return;
+    }
+
+    if (!passwordsMatch) {
+      toast.error("Passwords do not match");
+      return;
+    }
+
+    setIsPasswordLoading(true);
+
+    try {
+      const response = await fetch("/api/account/password", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ newPassword }),
+      });
+
+      const data = await response.json();
+
+      if (response.ok) {
+        toast.success("Password set successfully!");
+        setHasPassword(true);
+        setNewPassword("");
+        setConfirmPassword("");
+      } else {
+        toast.error(data.error || "Failed to set password");
+      }
+    } catch (error) {
+      toast.error("Network error. Please try again.");
+    } finally {
+      setIsPasswordLoading(false);
+    }
+  }
+
+  async function changePassword() {
+    if (!currentPassword) {
+      toast.error("Current password is required");
+      return;
+    }
+
+    if (!passwordValidation.success) {
+      toast.error(passwordValidation.error.errors[0].message);
+      return;
+    }
+
+    if (!passwordsMatch) {
+      toast.error("Passwords do not match");
+      return;
+    }
+
+    setIsPasswordLoading(true);
+
+    try {
+      const response = await fetch("/api/account/password", {
+        method: "PUT",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ currentPassword, newPassword }),
+      });
+
+      const data = await response.json();
+
+      if (response.ok) {
+        toast.success("Password changed successfully!");
+        setCurrentPassword("");
+        setNewPassword("");
+        setConfirmPassword("");
+      } else {
+        toast.error(data.error || "Failed to change password");
+      }
+    } catch (error) {
+      toast.error("Network error. Please try again.");
+    } finally {
+      setIsPasswordLoading(false);
+    }
+  }
+
   async function registerPasskey() {
     setIsLoading(true);
     const createOptionsResponse = await fetch("/api/passkeys/register", {
@@ -97,6 +210,136 @@ const ProfilePage: NextPage = () => {
       <main className="relative mx-2 mb-10 mt-4 space-y-8 overflow-hidden px-1 sm:mx-3 md:mx-5 md:mt-5 lg:mx-7 lg:mt-8 xl:mx-10">
         <AccountHeader />
         <div className="space-y-6">
+          {/* Password Management Section */}
+          {hasPassword !== null && (
+            <div className="rounded-lg border border-muted p-10">
+              <div className="space-y-6">
+                <div className="space-y-3">
+                  <div className="flex items-center space-x-2">
+                    <Lock className="h-5 w-5" />
+                    <h2 className="text-xl font-medium">
+                      {hasPassword ? "Change password" : "Set password"}
+                    </h2>
+                  </div>
+                  <p className="mt-3 text-sm text-muted-foreground">
+                    {hasPassword
+                      ? "Update your current password for enhanced security."
+                      : "Set a password to enable password-based login alongside your existing sign-in methods."}
+                  </p>
+                </div>
+
+                <div className="space-y-4 max-w-md">
+                  {hasPassword && (
+                    <div className="relative">
+                      <Label htmlFor="currentPassword" className="text-sm font-medium">
+                        Current Password
+                      </Label>
+                      <div className="relative mt-1">
+                        <Input
+                          id="currentPassword"
+                          type={showCurrentPassword ? "text" : "password"}
+                          value={currentPassword}
+                          onChange={(e) => setCurrentPassword(e.target.value)}
+                          disabled={isPasswordLoading}
+                          className="pr-10"
+                          placeholder="Enter current password"
+                        />
+                        <button
+                          type="button"
+                          onClick={() => setShowCurrentPassword(!showCurrentPassword)}
+                          className="absolute inset-y-0 right-0 flex items-center pr-3"
+                        >
+                          {showCurrentPassword ? (
+                            <Eye className="h-4 w-4 text-muted-foreground" />
+                          ) : (
+                            <EyeOff className="h-4 w-4 text-muted-foreground" />
+                          )}
+                        </button>
+                      </div>
+                    </div>
+                  )}
+
+                  <div className="relative">
+                    <Label htmlFor="newPassword" className="text-sm font-medium">
+                      {hasPassword ? "New Password" : "Password"}
+                    </Label>
+                    <div className="relative mt-1">
+                      <Input
+                        id="newPassword"
+                        type={showNewPassword ? "text" : "password"}
+                        value={newPassword}
+                        onChange={(e) => setNewPassword(e.target.value)}
+                        disabled={isPasswordLoading}
+                        className={cn(
+                          "pr-10",
+                          newPassword.length > 0 && !passwordValidation.success ? "border-red-500" : ""
+                        )}
+                        placeholder="Enter new password (8+ characters)"
+                      />
+                      <button
+                        type="button"
+                        onClick={() => setShowNewPassword(!showNewPassword)}
+                        className="absolute inset-y-0 right-0 flex items-center pr-3"
+                      >
+                        {showNewPassword ? (
+                          <Eye className="h-4 w-4 text-muted-foreground" />
+                        ) : (
+                          <EyeOff className="h-4 w-4 text-muted-foreground" />
+                        )}
+                      </button>
+                    </div>
+                  </div>
+
+                  <div className="relative">
+                    <Label htmlFor="confirmPassword" className="text-sm font-medium">
+                      Confirm Password
+                    </Label>
+                    <div className="relative mt-1">
+                      <Input
+                        id="confirmPassword"
+                        type={showConfirmPassword ? "text" : "password"}
+                        value={confirmPassword}
+                        onChange={(e) => setConfirmPassword(e.target.value)}
+                        disabled={isPasswordLoading}
+                        className={cn(
+                          "pr-10",
+                          confirmPassword.length > 0 && !passwordsMatch ? "border-red-500" : ""
+                        )}
+                        placeholder="Confirm new password"
+                      />
+                      <button
+                        type="button"
+                        onClick={() => setShowConfirmPassword(!showConfirmPassword)}
+                        className="absolute inset-y-0 right-0 flex items-center pr-3"
+                      >
+                        {showConfirmPassword ? (
+                          <Eye className="h-4 w-4 text-muted-foreground" />
+                        ) : (
+                          <EyeOff className="h-4 w-4 text-muted-foreground" />
+                        )}
+                      </button>
+                    </div>
+                  </div>
+
+                  <Button
+                    onClick={hasPassword ? changePassword : setPassword}
+                    disabled={
+                      isPasswordLoading ||
+                      !passwordValidation.success ||
+                      !passwordsMatch ||
+                      (hasPassword && !currentPassword)
+                    }
+                    loading={isPasswordLoading}
+                    className="flex items-center space-x-2"
+                  >
+                    <Lock className="h-4 w-4" />
+                    <span>{hasPassword ? "Change Password" : "Set Password"}</span>
+                  </Button>
+                </div>
+              </div>
+            </div>
+          )}
+
           {/* Register Passkey Section */}
           <div className="rounded-lg border border-muted p-10">
             <div className="space-y-6">
diff --git a/pages/api/account/password.ts b/pages/api/account/password.ts
new file mode 100644
index 000000000..5c1fac984
--- /dev/null
+++ b/pages/api/account/password.ts
@@ -0,0 +1,154 @@
+import { NextApiRequest, NextApiResponse } from "next";
+import { getServerSession } from "next-auth";
+import { z } from "zod";
+
+import { authOptions } from "@/pages/api/auth/[...nextauth]";
+import { hashPassword, checkPassword } from "@/lib/utils";
+import prisma from "@/lib/prisma";
+import { ratelimit } from "@/lib/ratelimit";
+import { CustomUser } from "@/lib/types";
+
+const setPasswordSchema = z.object({
+  currentPassword: z.string().optional(),
+  newPassword: z.string().min(8, "Password must be at least 8 characters"),
+});
+
+const changePasswordSchema = z.object({
+  currentPassword: z.string().min(1, "Current password is required"),
+  newPassword: z.string().min(8, "New password must be at least 8 characters"),
+});
+
+export default async function handler(
+  req: NextApiRequest,
+  res: NextApiResponse,
+) {
+  const session = await getServerSession(req, res, authOptions);
+  if (!session?.user) {
+    return res.status(401).json({ error: "Unauthorized" });
+  }
+
+  const sessionUser = session.user as CustomUser;
+
+  // Rate limiting: 5 password operations per hour per user
+  const { success } = await ratelimit(5, "1 h").limit(
+    `password-change:${sessionUser.id}`,
+  );
+
+  if (!success) {
+    return res.status(429).json({
+      error: "Too many password change attempts. Please try again later.",
+    });
+  }
+
+  if (req.method === "POST") {
+    // Set password for users who don't have one (e.g., users who signed up with OAuth)
+    try {
+      const user = await prisma.user.findUnique({
+        where: { id: sessionUser.id },
+      });
+
+      if (!user) {
+        return res.status(404).json({ error: "User not found" });
+      }
+
+      if (user.password) {
+        // User already has a password, they need to use the PUT method to change it
+        return res.status(400).json({
+          error: "User already has a password. Use password change instead.",
+        });
+      }
+
+      const { newPassword } = setPasswordSchema.parse(req.body);
+      const hashedPassword = await hashPassword(newPassword);
+
+      await prisma.user.update({
+        where: { id: sessionUser.id },
+        data: { password: hashedPassword },
+      });
+
+      return res.status(200).json({ message: "Password set successfully" });
+    } catch (error) {
+      console.error("Set password error:", error);
+
+      if (error instanceof z.ZodError) {
+        return res.status(400).json({
+          error: error.errors[0].message,
+        });
+      }
+
+      return res.status(500).json({
+        error: "Internal server error",
+      });
+    }
+  }
+
+  if (req.method === "PUT") {
+    // Change existing password
+    try {
+      const user = await prisma.user.findUnique({
+        where: { id: sessionUser.id },
+      });
+
+      if (!user) {
+        return res.status(404).json({ error: "User not found" });
+      }
+
+      if (!user.password) {
+        return res.status(400).json({
+          error: "User doesn't have a password set. Use password setting instead.",
+        });
+      }
+
+      const { currentPassword, newPassword } = changePasswordSchema.parse(req.body);
+
+      // Verify current password
+      const isValidPassword = await checkPassword(currentPassword, user.password);
+      if (!isValidPassword) {
+        return res.status(400).json({ error: "Current password is incorrect" });
+      }
+
+      // Hash new password and update
+      const hashedPassword = await hashPassword(newPassword);
+      await prisma.user.update({
+        where: { id: sessionUser.id },
+        data: { password: hashedPassword },
+      });
+
+      return res.status(200).json({ message: "Password changed successfully" });
+    } catch (error) {
+      console.error("Change password error:", error);
+
+      if (error instanceof z.ZodError) {
+        return res.status(400).json({
+          error: error.errors[0].message,
+        });
+      }
+
+      return res.status(500).json({
+        error: "Internal server error",
+      });
+    }
+  }
+
+  if (req.method === "GET") {
+    // Check if user has a password set
+    try {
+      const user = await prisma.user.findUnique({
+        where: { id: sessionUser.id },
+        select: { password: true },
+      });
+
+      return res.status(200).json({
+        hasPassword: !!user?.password,
+      });
+    } catch (error) {
+      console.error("Check password status error:", error);
+      return res.status(500).json({
+        error: "Internal server error",
+      });
+    }
+  }
+
+  res.setHeader("Allow", ["GET", "POST", "PUT"]);
+  return res.status(405).json({ error: "Method not allowed" });
+}
\ No newline at end of file
diff --git a/pages/api/auth/[...nextauth].ts b/pages/api/auth/[...nextauth].ts
index 4b4639f13..e7c7f2d39 100644
--- a/pages/api/auth/[...nextauth].ts
+++ b/pages/api/auth/[...nextauth].ts
@@ -1,6 +1,7 @@
 import { PrismaAdapter } from "@next-auth/prisma-adapter";
 import PasskeyProvider from "@teamhanko/passkeys-next-auth-provider";
 import NextAuth, { type NextAuthOptions } from "next-auth";
+import CredentialsProvider from "next-auth/providers/credentials";
 import EmailProvider from "next-auth/providers/email";
 import GoogleProvider from "next-auth/providers/google";
 import LinkedInProvider from "next-auth/providers/linkedin";
@@ -14,6 +15,7 @@ import prisma from "@/lib/prisma";
 import { CreateUserEmailProps, CustomUser } from "@/lib/types";
 import { subscribe } from "@/lib/unsend";
 import { generateChecksum } from "@/lib/utils/generate-checksum";
+import { checkPassword } from "@/lib/utils";
 
 const VERCEL_DEPLOYMENT = !!process.env.VERCEL_URL;
 
@@ -34,6 +36,43 @@ export const authOptions: NextAuthOptions = {
     error: "/login",
   },
   providers: [
+    CredentialsProvider({
+      name: "credentials",
+      credentials: {
+        email: { label: "Email", type: "email" },
+        password: { label: "Password", type: "password" }
+      },
+      async authorize(credentials) {
+        if (!credentials?.email || !credentials?.password) {
+          throw new Error("Email and password required");
+        }
+
+        const user = await prisma.user.findUnique({
+          where: { email: credentials.email.toLowerCase() },
+        });
+
+        if (!user || !user.password) {
+          throw new Error("No user found with this email or user has no password set");
+        }
+
+        const isPasswordValid = await checkPassword(credentials.password, user.password);
+        if (!isPasswordValid) {
+          throw new Error("Invalid password");
+        }
+
+        if (!user.emailVerified) {
+          throw new Error("Email not verified. Please check your email for verification code.");
+        }
+
+        return {
+          id: user.id,
+          email: user.email,
+          name: user.name,
+          image: user.image,
+          emailVerified: user.emailVerified,
+        };
+      },
+    }),
     GoogleProvider({
       clientId: process.env.GOOGLE_CLIENT_ID as string,
       clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
diff --git a/pages/api/auth/forgot-password.ts b/pages/api/auth/forgot-password.ts
new file mode 100644
index 000000000..5a0aea59a
--- /dev/null
+++ b/pages/api/auth/forgot-password.ts
@@ -0,0 +1,92 @@
+import { NextApiRequest, NextApiResponse } from "next";
+import { z } from "zod";
+import { nanoid } from "nanoid";
+
+import prisma from "@/lib/prisma";
+import { ratelimit } from "@/lib/ratelimit";
+import { sendPasswordResetEmail } from "@/lib/emails/send-password-reset";
+
+const forgotPasswordSchema = z.object({
+  email: z.string().email("Invalid email address").toLowerCase(),
+});
+
+export default async function handler(
+  req: NextApiRequest,
+  res: NextApiResponse,
+) {
+  if (req.method !== "POST") {
+    res.setHeader("Allow", ["POST"]);
+    return res.status(405).json({ error: "Method not allowed" });
+  }
+
+  try {
+    const { email } = forgotPasswordSchema.parse(req.body);
+
+    // Rate limiting: 3 password reset requests per hour per email
+    const { success } = await ratelimit(3, "1 h").limit(
+      `password-reset:${email}`,
+    );
+
+    if (!success) {
+      return res.status(429).json({
+        error: "Too many password reset requests. Please try again later.",
+      });
+    }
+
+    // Find user
+    const user = await prisma.user.findUnique({
+      where: { email },
+    });
+
+    // Always return success to prevent email enumeration
+    if (!user || !user.password) {
+      // Still return success but don't send email
+      return res.status(200).json({
+        message: "If an account with this email exists, you will receive a password reset email.",
+      });
+    }
+
+    // Delete any existing password reset tokens for this user
+    await prisma.passwordResetToken.deleteMany({
+      where: { userId: user.id },
+    });
+
+    // Generate reset token
+    const resetToken = nanoid(32);
+    const expires = new Date(Date.now() + 15 * 60 * 1000); // 15 minutes
+
+    // Create password reset token
+    await prisma.passwordResetToken.create({
+      data: {
+        userId: user.id,
+        token: resetToken,
+        expires,
+      },
+    });
+
+    // Send password reset email
+    const resetUrl = `${process.env.NEXTAUTH_URL}/reset-password?token=${resetToken}`;
+    await sendPasswordResetEmail({
+      email,
+      resetUrl,
+      name: user.name || "there",
+    });
+
+    return res.status(200).json({
+      message: "If an account with this email exists, you will receive a password reset email.",
+    });
+
+  } catch (error) {
+    console.error("Forgot password error:", error);
+
+    if (error instanceof z.ZodError) {
+      return res.status(400).json({
+        error: error.errors[0].message,
+      });
+    }
+
+    return res.status(500).json({
+      error: "Internal server error. Please try again.",
+    });
+  }
+}
\ No newline at end of file
diff --git a/pages/api/auth/reset-password.ts b/pages/api/auth/reset-password.ts
new file mode 100644
index 000000000..daa1fe125
--- /dev/null
+++ b/pages/api/auth/reset-password.ts
@@ -0,0 +1,94 @@
+import { NextApiRequest, NextApiResponse } from "next";
+import { z } from "zod";
+
+import prisma from "@/lib/prisma";
+import { hashPassword } from "@/lib/utils";
+import { ratelimit } from "@/lib/ratelimit";
+
+const resetPasswordSchema = z.object({
+  token: z.string().min(1, "Reset token is required"),
+  password: z.string().min(8, "Password must be at least 8 characters"),
+});
+
+export default async function handler(
+  req: NextApiRequest,
+  res: NextApiResponse,
+) {
+  if (req.method !== "POST") {
+    res.setHeader("Allow", ["POST"]);
+    return res.status(405).json({ error: "Method not allowed" });
+  }
+
+  try {
+    const { token, password } = resetPasswordSchema.parse(req.body);
+
+    // Rate limiting: 5 password reset attempts per hour per IP
+    const { success } = await ratelimit(5, "1 h").limit(
+      `reset-password:${req.headers["x-forwarded-for"] || req.connection.remoteAddress}`,
+    );
+
+    if (!success) {
+      return res.status(429).json({
+        error: "Too many password reset attempts. Please try again later.",
+      });
+    }
+
+    // Find and validate reset token
+    const resetTokenRecord = await prisma.passwordResetToken.findUnique({
+      where: { token },
+      include: { user: true },
+    });
+
+    if (!resetTokenRecord) {
+      return res.status(400).json({
+        error: "Invalid or expired reset token",
+      });
+    }
+
+    // Check if token is expired
+    if (resetTokenRecord.expires < new Date()) {
+      // Delete expired token
+      await prisma.passwordResetToken.delete({
+        where: { id: resetTokenRecord.id },
+      });
+
+      return res.status(400).json({
+        error: "Reset token has expired. Please request a new password reset.",
+      });
+    }
+
+    // Hash the new password
+    const hashedPassword = await hashPassword(password);
+
+    // Update user password and ensure email is verified
+    await prisma.user.update({
+      where: { id: resetTokenRecord.userId },
+      data: {
+        password: hashedPassword,
+        emailVerified: resetTokenRecord.user.emailVerified || new Date(), // Verify email if not already verified
+      },
+    });
+
+    // Delete the used reset token
+    await prisma.passwordResetToken.delete({
+      where: { id: resetTokenRecord.id },
+    });
+
+    return res.status(200).json({
+      message: "Password reset successfully",
+    });
+
+  } catch (error) {
+    console.error("Reset password error:", error);
+
+    if (error instanceof z.ZodError) {
+      return res.status(400).json({
+        error: error.errors[0].message,
+      });
+    }
+
+    return res.status(500).json({
+      error: "Internal server error. Please try again.",
+    });
+  }
+}
\ No newline at end of file
diff --git a/pages/api/auth/signup.ts b/pages/api/auth/signup.ts
new file mode 100644
index 000000000..fa68f938e
--- /dev/null
+++ b/pages/api/auth/signup.ts
@@ -0,0 +1,126 @@
+import { NextApiRequest, NextApiResponse } from "next";
+import { z } from "zod";
+import { nanoid } from "nanoid";
+
+import { hashPassword } from "@/lib/utils";
+import { ratelimit } from "@/lib/ratelimit";
+import { sendOtpVerificationEmail } from "@/lib/emails/send-email-otp-verification";
+import { redis } from "@/lib/redis";
+import prisma from "@/lib/prisma";
+
+const signupSchema = z.object({
+  name: z.string().min(1, "Name is required").max(50, "Name too long"),
+  email: z.string().email("Invalid email address").toLowerCase(),
+  password: z.string().min(8, "Password must be at least 8 characters"),
+});
+
+export default async function handler(
+  req: NextApiRequest,
+  res: NextApiResponse,
+) {
+  if (req.method !== "POST") {
+    res.setHeader("Allow", ["POST"]);
+    return res.status(405).json({ error: "Method not allowed" });
+  }
+
+  try {
+    const { name, email, password } = signupSchema.parse(req.body);
+
+    // Rate limiting: 3 signup attempts per hour per IP
+    const { success } = await ratelimit(3, "1 h").limit(
+      `signup:${req.headers["x-forwarded-for"] || req.connection.remoteAddress}`,
+    );
+
+    if (!success) {
+      return res.status(429).json({
+        error: "Too many signup attempts. Please try again later.",
+      });
+    }
+
+    // Check if user already exists
+    const existingUser = await prisma.user.findUnique({
+      where: { email },
+    });
+
+    if (existingUser) {
+      if (existingUser.emailVerified) {
+        return res.status(400).json({
+          error: "User with this email already exists",
+        });
+      } else {
+        // User exists but email not verified, update their data and resend verification
+        const hashedPassword = await hashPassword(password);
+        await prisma.user.update({
+          where: { email },
+          data: {
+            name,
+            password: hashedPassword,
+          },
+        });
+
+        // Generate new verification code
+        const verificationCode = Math.floor(100000 + Math.random() * 900000).toString();
+        
+        // Store verification code in Redis (expires in 15 minutes)
+        await redis.set(
+          `email-verification:${email}`,
+          verificationCode,
+          { ex: 15 * 60 }
+        );
+
+        // Send verification email
+        await sendOtpVerificationEmail(email, verificationCode, false, "");
+
+        return res.status(200).json({
+          message: "Verification email sent. Please check your inbox.",
+          requiresVerification: true,
+        });
+      }
+    }
+
+    // Hash the password
+    const hashedPassword = await hashPassword(password);
+
+    // Create user
+    const user = await prisma.user.create({
+      data: {
+        name,
+        email,
+        password: hashedPassword,
+        emailVerified: null, // Will be set when email is verified
+      },
+    });
+
+    // Generate verification code
+    const verificationCode = Math.floor(100000 + Math.random() * 900000).toString();
+    
+    // Store verification code in Redis (expires in 15 minutes)
+    await redis.set(
+      `email-verification:${email}`,
+      verificationCode,
+      { ex: 15 * 60 }
+    );
+
+    // Send verification email
+    await sendOtpVerificationEmail(email, verificationCode, false, "");
+
+    return res.status(201).json({
+      message: "Account created successfully. Please check your email for verification code.",
+      requiresVerification: true,
+      userId: user.id,
+    });
+
+  } catch (error) {
+    console.error("Signup error:", error);
+
+    if (error instanceof z.ZodError) {
+      return res.status(400).json({
+        error: error.errors[0].message,
+      });
+    }
+
+    return res.status(500).json({
+      error: "Internal server error. Please try again.",
+    });
+  }
+}
\ No newline at end of file
diff --git a/pages/api/auth/verify-email.ts b/pages/api/auth/verify-email.ts
new file mode 100644
index 000000000..deebd980f
--- /dev/null
+++ b/pages/api/auth/verify-email.ts
@@ -0,0 +1,85 @@
+import { NextApiRequest, NextApiResponse } from "next";
+import { z } from "zod";
+
+import { redis } from "@/lib/redis";
+import prisma from "@/lib/prisma";
+import { ratelimit } from "@/lib/ratelimit";
+
+const verifyEmailSchema = z.object({
+  email: z.string().email("Invalid email address").toLowerCase(),
+  code: z.string().length(6, "Verification code must be 6 digits"),
+});
+
+export default async function handler(
+  req: NextApiRequest,
+  res: NextApiResponse,
+) {
+  if (req.method !== "POST") {
+    res.setHeader("Allow", ["POST"]);
+    return res.status(405).json({ error: "Method not allowed" });
+  }
+
+  try {
+    const { email, code } = verifyEmailSchema.parse(req.body);
+
+    // Rate limiting: 5 verification attempts per hour per email
+    const { success } = await ratelimit(5, "1 h").limit(
+      `email-verification:${email}`,
+    );
+
+    if (!success) {
+      return res.status(429).json({
+        error: "Too many verification attempts. Please try again later.",
+      });
+    }
+
+    // Get verification code from Redis
+    const storedCode = await redis.get(`email-verification:${email}`);
+
+    if (!storedCode || storedCode !== code) {
+      return res.status(400).json({
+        error: "Invalid or expired verification code",
+      });
+    }
+
+    // Find user
+    const user = await prisma.user.findUnique({
+      where: { email },
+    });
+
+    if (!user) {
+      return res.status(404).json({
+        error: "User not found",
+      });
+    }
+
+    // Mark email as verified
+    await prisma.user.update({
+      where: { email },
+      data: {
+        emailVerified: new Date(),
+      },
+    });
+
+    // Remove verification code from Redis
+    await redis.del(`email-verification:${email}`);
+
+    return res.status(200).json({
+      message: "Email verified successfully",
+      verified: true,
+    });
+
+  } catch (error) {
+    console.error("Email verification error:", error);
+
+    if (error instanceof z.ZodError) {
+      return res.status(400).json({
+        error: error.errors[0].message,
+      });
+    }
+
+    return res.status(500).json({
+      error: "Internal server error. Please try again.",
+    });
+  }
+}
\ No newline at end of file
diff --git a/prisma/schema/schema.prisma b/prisma/schema/schema.prisma
index d6fb1a0be..8259ad544 100644
--- a/prisma/schema/schema.prisma
+++ b/prisma/schema/schema.prisma
@@ -42,6 +42,7 @@ model User {
   name           String?
   email          String?    @unique
   emailVerified  DateTime?
+  password       String?    // For email/password authentication
   image          String?
   createdAt      DateTime   @default(now())
   accounts       Account[]
@@ -58,6 +59,7 @@ model User {
   endsAt         DateTime? // Stripe subscription end date
 
   restrictedTokens RestrictedToken[]
+  passwordResetTokens PasswordResetToken[]
 
   // conversation
   participatedConversations ConversationParticipant[]
@@ -84,6 +86,19 @@ model VerificationToken {
   @@unique([identifier, token])
 }
 
+model PasswordResetToken {
+  id         String   @id @default(cuid())
+  userId     String
+  token      String   @unique
+  expires    DateTime
+  createdAt  DateTime @default(now())
+  
+  user       User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+  
+  @@index([token])
+  @@index([userId])
+}
+
 model Document {
   id                   String              @id @default(cuid())
   name                 String