diff --git a/TODO.txt b/TODO.txt
index c9a269a..46b9c2f 100644
--- a/TODO.txt
+++ b/TODO.txt
@@ -21,6 +21,7 @@ Milestone: v0.2.0
     [x] Username validation
     [x] Password hashing
     [x] User API
+[x] Password login
 
 [x] Document MemoryHexDump()
 [x] Document DbExists()
diff --git a/src/Matrix.c b/src/Matrix.c
index 5a0ab2e..701e8a1 100644
--- a/src/Matrix.c
+++ b/src/Matrix.c
@@ -302,14 +302,11 @@ MatrixErrorCreate(MatrixError errorArg)
 }
 
 HashMap *
-MatrixAuthenticate(HttpServerContext * context, Db * db)
+MatrixGetAccessToken(HttpServerContext * context, char **accessToken)
 {
     HashMap *params;
     char *token;
 
-    (void) db;                     /* Silence warning about unused var;
-                                    * we'll use it eventually. */
-
     params = HttpRequestHeaders(context);
     token = HashMapGet(params, "authorization");
 
@@ -345,8 +342,7 @@ MatrixAuthenticate(HttpServerContext * context, Db * db)
         }
     }
 
-    /* TODO: Check that "token" is actually valid */
-
+    *accessToken = token;
     return NULL;
 }
 
diff --git a/src/User.c b/src/User.c
index b302cc2..48f1d34 100644
--- a/src/User.c
+++ b/src/User.c
@@ -118,6 +118,52 @@ UserLock(Db * db, char *name)
     return user;
 }
 
+User *
+UserAuthenticate(Db * db, char *accessToken)
+{
+    User *user;
+    DbRef *atRef;
+
+    char *userName;
+    char *deviceId;
+    long expires;
+
+    if (!db || !accessToken)
+    {
+        return NULL;
+    }
+
+    atRef = DbLock(db, 3, "tokens", "access", accessToken);
+    if (!atRef)
+    {
+        return NULL;
+    }
+
+    userName = JsonValueAsString(HashMapGet(DbJson(atRef), "user"));
+    deviceId = JsonValueAsString(HashMapGet(DbJson(atRef), "device"));
+    expires = JsonValueAsInteger(HashMapGet(DbJson(atRef), "expires"));
+
+    user = UserLock(db, userName);
+    if (!user)
+    {
+        DbUnlock(db, atRef);
+        return NULL;
+    }
+
+    if (UtilServerTs() >= (unsigned long) expires)
+    {
+        UserUnlock(user);
+        DbUnlock(db, atRef);
+        return NULL;
+    }
+
+    /* TODO: Attach deviceId to User */
+    (void) deviceId;
+
+    DbUnlock(db, atRef);
+    return user;
+}
+
 int
 UserUnlock(User * user)
 {
diff --git a/src/include/Matrix.h b/src/include/Matrix.h
index 3d5bae8..98d0f4a 100644
--- a/src/include/Matrix.h
+++ b/src/include/Matrix.h
@@ -81,7 +81,7 @@ extern HashMap *
  MatrixErrorCreate(MatrixError);
 
 extern HashMap *
- MatrixAuthenticate(HttpServerContext *, Db *);
+ MatrixGetAccessToken(HttpServerContext *, char **);
 
 extern HashMap *
  MatrixRateLimit(HttpServerContext *, Db *);
diff --git a/src/include/User.h b/src/include/User.h
index a4bbc40..80d0039 100644
--- a/src/include/User.h
+++ b/src/include/User.h
@@ -51,6 +51,9 @@ extern User *
 extern User *
  UserLock(Db *, char *name);
 
+extern User *
+ UserAuthenticate(Db *, char *accessToken);
+
 extern int
  UserUnlock(User *);