diff --git a/apps/bff/src/modules/auth/get-started/get-started.module.ts b/apps/bff/src/modules/auth/get-started/get-started.module.ts
new file mode 100644
index 00000000..67cc3ba9
--- /dev/null
+++ b/apps/bff/src/modules/auth/get-started/get-started.module.ts
@@ -0,0 +1,67 @@
+import { Module } from "@nestjs/common";
+import { UsersModule } from "@bff/modules/users/users.module.js";
+import { MappingsModule } from "@bff/modules/id-mappings/mappings.module.js";
+import { IntegrationsModule } from "@bff/integrations/integrations.module.js";
+import { WorkflowModule } from "@bff/modules/shared/workflow/index.js";
+import { TokensModule } from "../tokens/tokens.module.js";
+import { OtpModule } from "../otp/otp.module.js";
+// Coordinator
+import { GetStartedCoordinator } from "../infra/workflows/get-started-coordinator.service.js";
+// Workflow services
+import { VerificationWorkflowService } from "../infra/workflows/verification-workflow.service.js";
+import { GuestEligibilityWorkflowService } from "../infra/workflows/guest-eligibility-workflow.service.js";
+import { NewCustomerSignupWorkflowService } from "../infra/workflows/new-customer-signup-workflow.service.js";
+import { SfCompletionWorkflowService } from "../infra/workflows/sf-completion-workflow.service.js";
+import { WhmcsMigrationWorkflowService } from "../infra/workflows/whmcs-migration-workflow.service.js";
+// Signup shared services
+import { SignupAccountResolverService } from "../infra/workflows/signup/signup-account-resolver.service.js";
+import { SignupValidationService } from "../infra/workflows/signup/signup-validation.service.js";
+import { SignupWhmcsService } from "../infra/workflows/signup/signup-whmcs.service.js";
+import { SignupUserCreationService } from "../infra/workflows/signup/signup-user-creation.service.js";
+// Step services
+import {
+  ResolveSalesforceAccountStep,
+  CreateWhmcsClientStep,
+  CreatePortalUserStep,
+  UpdateSalesforceFlagsStep,
+  GenerateAuthResultStep,
+  CreateEligibilityCaseStep,
+} from "../infra/workflows/steps/index.js";
+// Controller
+import { GetStartedController } from "../presentation/http/get-started.controller.js";
+
+@Module({
+  imports: [
+    TokensModule,
+    OtpModule,
+    UsersModule,
+    MappingsModule,
+    IntegrationsModule,
+    WorkflowModule,
+  ],
+  controllers: [GetStartedController],
+  providers: [
+    // Coordinator
+    GetStartedCoordinator,
+    // Workflow services
+    VerificationWorkflowService,
+    GuestEligibilityWorkflowService,
+    NewCustomerSignupWorkflowService,
+    SfCompletionWorkflowService,
+    WhmcsMigrationWorkflowService,
+    // Signup shared services
+    SignupAccountResolverService,
+    SignupValidationService,
+    SignupWhmcsService,
+    SignupUserCreationService,
+    // Step services
+    ResolveSalesforceAccountStep,
+    CreateWhmcsClientStep,
+    CreatePortalUserStep,
+    UpdateSalesforceFlagsStep,
+    GenerateAuthResultStep,
+    CreateEligibilityCaseStep,
+  ],
+  exports: [GetStartedCoordinator],
+})
+export class GetStartedModule {}
diff --git a/apps/bff/src/modules/auth/login/login.module.ts b/apps/bff/src/modules/auth/login/login.module.ts
new file mode 100644
index 00000000..c76b3470
--- /dev/null
+++ b/apps/bff/src/modules/auth/login/login.module.ts
@@ -0,0 +1,37 @@
+import { Module } from "@nestjs/common";
+
+import { UsersModule } from "@bff/modules/users/users.module.js";
+import { TokensModule } from "../tokens/tokens.module.js";
+import { SessionsModule } from "../sessions/sessions.module.js";
+import { OtpModule } from "../otp/otp.module.js";
+import { SharedAuthModule } from "../shared/shared-auth.module.js";
+
+import { AuthLoginService } from "../application/auth-login.service.js";
+import { LoginOtpWorkflowService } from "../infra/workflows/login-otp-workflow.service.js";
+import { FailedLoginThrottleGuard } from "../presentation/http/guards/failed-login-throttle.guard.js";
+import { LoginResultInterceptor } from "../presentation/http/interceptors/login-result.interceptor.js";
+
+/**
+ * Login Module
+ *
+ * Owns credential validation, login OTP workflow, and login-specific
+ * guards/interceptors. Imports TokensModule, SessionsModule, and OtpModule
+ * for token generation, session management, and OTP verification.
+ *
+ */
+@Module({
+  imports: [TokensModule, SessionsModule, OtpModule, UsersModule, SharedAuthModule],
+  providers: [
+    AuthLoginService,
+    LoginOtpWorkflowService,
+    FailedLoginThrottleGuard,
+    LoginResultInterceptor,
+  ],
+  exports: [
+    AuthLoginService,
+    LoginOtpWorkflowService,
+    FailedLoginThrottleGuard,
+    LoginResultInterceptor,
+  ],
+})
+export class LoginModule {}
diff --git a/apps/bff/src/modules/auth/otp/otp.module.ts b/apps/bff/src/modules/auth/otp/otp.module.ts
new file mode 100644
index 00000000..76812c83
--- /dev/null
+++ b/apps/bff/src/modules/auth/otp/otp.module.ts
@@ -0,0 +1,16 @@
+import { Module } from "@nestjs/common";
+
+import { OtpService } from "../infra/otp/otp.service.js";
+import { GetStartedSessionService } from "../infra/otp/get-started-session.service.js";
+
+/**
+ * OTP Module
+ *
+ * Owns OTP generation/verification and get-started session management.
+ * Both services are exported for use by LoginModule and GetStartedModule.
+ */
+@Module({
+  providers: [OtpService, GetStartedSessionService],
+  exports: [OtpService, GetStartedSessionService],
+})
+export class OtpModule {}
diff --git a/apps/bff/src/modules/auth/password-reset/password-reset.module.ts b/apps/bff/src/modules/auth/password-reset/password-reset.module.ts
new file mode 100644
index 00000000..c4ca367a
--- /dev/null
+++ b/apps/bff/src/modules/auth/password-reset/password-reset.module.ts
@@ -0,0 +1,13 @@
+import { Module } from "@nestjs/common";
+import { UsersModule } from "@bff/modules/users/users.module.js";
+import { TokensModule } from "../tokens/tokens.module.js";
+import { SessionsModule } from "../sessions/sessions.module.js";
+import { SharedAuthModule } from "../shared/shared-auth.module.js";
+import { PasswordWorkflowService } from "../infra/workflows/password-workflow.service.js";
+
+@Module({
+  imports: [TokensModule, SessionsModule, SharedAuthModule, UsersModule],
+  providers: [PasswordWorkflowService],
+  exports: [PasswordWorkflowService],
+})
+export class PasswordResetModule {}
diff --git a/apps/bff/src/modules/auth/sessions/sessions.module.ts b/apps/bff/src/modules/auth/sessions/sessions.module.ts
new file mode 100644
index 00000000..57319ad3
--- /dev/null
+++ b/apps/bff/src/modules/auth/sessions/sessions.module.ts
@@ -0,0 +1,11 @@
+import { Module } from "@nestjs/common";
+import { TokensModule } from "../tokens/tokens.module.js";
+import { LoginSessionService } from "../infra/login/login-session.service.js";
+import { TrustedDeviceService } from "../infra/trusted-device/trusted-device.service.js";
+
+@Module({
+  imports: [TokensModule],
+  providers: [LoginSessionService, TrustedDeviceService],
+  exports: [LoginSessionService, TrustedDeviceService],
+})
+export class SessionsModule {}
diff --git a/apps/bff/src/modules/auth/shared/shared-auth.module.ts b/apps/bff/src/modules/auth/shared/shared-auth.module.ts
new file mode 100644
index 00000000..20de1b07
--- /dev/null
+++ b/apps/bff/src/modules/auth/shared/shared-auth.module.ts
@@ -0,0 +1,26 @@
+import { Module } from "@nestjs/common";
+import { APP_GUARD } from "@nestjs/core";
+import { UsersModule } from "@bff/modules/users/users.module.js";
+import { TokensModule } from "../tokens/tokens.module.js";
+import { GlobalAuthGuard } from "../presentation/http/guards/global-auth.guard.js";
+import { PermissionsGuard } from "../presentation/http/guards/permissions.guard.js";
+import { AuthRateLimitService } from "../infra/rate-limiting/auth-rate-limit.service.js";
+
+@Module({
+  imports: [TokensModule, UsersModule],
+  providers: [
+    GlobalAuthGuard,
+    PermissionsGuard,
+    AuthRateLimitService,
+    {
+      provide: APP_GUARD,
+      useClass: GlobalAuthGuard,
+    },
+    {
+      provide: APP_GUARD,
+      useClass: PermissionsGuard,
+    },
+  ],
+  exports: [GlobalAuthGuard, PermissionsGuard, AuthRateLimitService],
+})
+export class SharedAuthModule {}
diff --git a/apps/bff/src/modules/auth/tokens/tokens.module.ts b/apps/bff/src/modules/auth/tokens/tokens.module.ts
new file mode 100644
index 00000000..0137baa1
--- /dev/null
+++ b/apps/bff/src/modules/auth/tokens/tokens.module.ts
@@ -0,0 +1,35 @@
+import { Module } from "@nestjs/common";
+import { UsersModule } from "@bff/modules/users/users.module.js";
+import { JoseJwtService } from "../infra/token/jose-jwt.service.js";
+import { TokenGeneratorService } from "../infra/token/token-generator.service.js";
+import { TokenRefreshService } from "../infra/token/token-refresh.service.js";
+import { TokenStorageService } from "../infra/token/token-storage.service.js";
+import { TokenRevocationService } from "../infra/token/token-revocation.service.js";
+import { TokenBlacklistService } from "../infra/token/token-blacklist.service.js";
+import { AuthTokenService } from "../infra/token/token.service.js";
+import { PasswordResetTokenService } from "../infra/token/password-reset-token.service.js";
+import { TokenMigrationService } from "../infra/token/token-migration.service.js";
+
+@Module({
+  imports: [UsersModule],
+  providers: [
+    JoseJwtService,
+    TokenGeneratorService,
+    TokenRefreshService,
+    TokenStorageService,
+    TokenRevocationService,
+    TokenBlacklistService,
+    AuthTokenService,
+    PasswordResetTokenService,
+    TokenMigrationService,
+  ],
+  exports: [
+    JoseJwtService,
+    AuthTokenService,
+    TokenBlacklistService,
+    TokenRefreshService,
+    PasswordResetTokenService,
+    TokenMigrationService,
+  ],
+})
+export class TokensModule {}