diff --git a/backend/src/app/admin/layout.tsx b/backend/src/app/admin/layout.tsx
new file mode 100644
index 0000000..4697705
--- /dev/null
+++ b/backend/src/app/admin/layout.tsx
@@ -0,0 +1,63 @@
+'use client';
+import { usePathname, useRouter } from 'next/navigation';
+import { useEffect, useState } from 'react';
+
+const NAV = [
+  { href: '/admin', label: 'Dashboard' },
+  { href: '/admin/players', label: 'Players' },
+  { href: '/admin/battlepass', label: 'Battle Pass' },
+  { href: '/admin/matches', label: 'Matches' },
+  { href: '/admin/promocodes', label: 'Promo Codes' },
+  { href: '/admin/store', label: 'Store' },
+  { href: '/admin/contracts', label: 'Contracts' },
+  { href: '/admin/arsenal', label: 'Arsenal' },
+];
+
+export default function AdminLayout({ children }: { children: React.ReactNode }) {
+  const pathname = usePathname();
+  const router = useRouter();
+  const [authed, setAuthed] = useState(false);
+  const [loading, setLoading] = useState(true);
+
+  useEffect(() => {
+    if (pathname === '/admin/login') {
+      setLoading(false);
+      return;
+    }
+    fetch('/api/admin/check')
+      .then(r => r.json())
+      .then(d => {
+        if (d.authenticated) setAuthed(true);
+        else router.push('/admin/login');
+      })
+      .catch(() => router.push('/admin/login'))
+      .finally(() => setLoading(false));
+  }, [pathname, router]);
+
+  if (loading) return <div className="p-8 text-gray-400">Loading...</div>;
+  if (pathname === '/admin/login') return <>{children}</>;
+  if (!authed) return null;
+
+  return (
+    <div className="min-h-screen bg-gray-900 text-gray-100 flex">
+      <nav className="w-56 bg-gray-800 p-4 flex flex-col gap-1 shrink-0">
+        <h1 className="text-lg font-bold mb-4 px-3 text-amber-400">Zombie Admin</h1>
+        {NAV.map(item => (
+          <a
+            key={item.href}
+            href={item.href}
+            className={`px-3 py-2 rounded hover:bg-gray-700 transition-colors ${
+              pathname === item.href || pathname.startsWith(item.href + '/') ? 'bg-gray-700 text-amber-300' : ''
+            }`}
+          >
+            {item.label}
+          </a>
+        ))}
+        <div className="mt-auto pt-4">
+          <a href="/api/admin/logout" className="px-3 py-2 text-red-400 hover:text-red-300 block text-sm">Logout</a>
+        </div>
+      </nav>
+      <main className="flex-1 p-6 overflow-auto">{children}</main>
+    </div>
+  );
+}
diff --git a/backend/src/app/admin/login/page.tsx b/backend/src/app/admin/login/page.tsx
new file mode 100644
index 0000000..c3c3dbc
--- /dev/null
+++ b/backend/src/app/admin/login/page.tsx
@@ -0,0 +1,42 @@
+'use client';
+import { useState } from 'react';
+import { useRouter } from 'next/navigation';
+
+export default function LoginPage() {
+  const [password, setPassword] = useState('');
+  const [error, setError] = useState('');
+  const router = useRouter();
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+    setError('');
+    const res = await fetch('/api/admin/login', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ password }),
+    });
+    const data = await res.json();
+    if (data.success) router.push('/admin');
+    else setError(data.error || 'Login failed');
+  };
+
+  return (
+    <div className="min-h-screen bg-gray-900 flex items-center justify-center">
+      <form onSubmit={handleSubmit} className="bg-gray-800 p-8 rounded-lg w-80">
+        <h1 className="text-2xl font-bold mb-6 text-amber-400">Admin Login</h1>
+        {error && <p className="text-red-400 mb-4 text-sm">{error}</p>}
+        <input
+          type="password"
+          value={password}
+          onChange={e => setPassword(e.target.value)}
+          placeholder="Password"
+          className="w-full px-3 py-2 bg-gray-700 rounded mb-4 text-white"
+          autoFocus
+        />
+        <button type="submit" className="w-full bg-amber-500 hover:bg-amber-600 text-black font-semibold py-2 rounded">
+          Login
+        </button>
+      </form>
+    </div>
+  );
+}
diff --git a/backend/src/app/api/admin/check/route.ts b/backend/src/app/api/admin/check/route.ts
new file mode 100644
index 0000000..2f38224
--- /dev/null
+++ b/backend/src/app/api/admin/check/route.ts
@@ -0,0 +1,8 @@
+import { NextResponse } from 'next/server';
+import { cookies } from 'next/headers';
+
+export async function GET() {
+  const store = cookies();
+  const authed = store.get('admin_session')?.value === 'authenticated';
+  return NextResponse.json({ authenticated: !!authed });
+}
diff --git a/backend/src/app/api/admin/login/route.ts b/backend/src/app/api/admin/login/route.ts
new file mode 100644
index 0000000..7429ce6
--- /dev/null
+++ b/backend/src/app/api/admin/login/route.ts
@@ -0,0 +1,14 @@
+import { NextRequest, NextResponse } from 'next/server';
+
+export async function POST(request: NextRequest) {
+  const { password } = await request.json();
+  const ADMIN_PASSWORD = process.env.ADMIN_PASSWORD || 'admin';
+  if (password !== ADMIN_PASSWORD) {
+    return NextResponse.json({ success: false, error: 'Invalid password' }, { status: 401 });
+  }
+  const response = NextResponse.json({ success: true });
+  response.cookies.set('admin_session', 'authenticated', {
+    httpOnly: true, secure: false, sameSite: 'lax', path: '/admin', maxAge: 86400,
+  });
+  return response;
+}
diff --git a/backend/src/app/api/admin/logout/route.ts b/backend/src/app/api/admin/logout/route.ts
new file mode 100644
index 0000000..bf49cb2
--- /dev/null
+++ b/backend/src/app/api/admin/logout/route.ts
@@ -0,0 +1,7 @@
+import { NextResponse } from 'next/server';
+
+export async function GET() {
+  const response = NextResponse.json({ success: true });
+  response.cookies.delete('admin_session');
+  return response;
+}