diff --git a/admin.go b/admin.go
new file mode 100644
index 0000000..df957fe
--- /dev/null
+++ b/admin.go
@@ -0,0 +1,85 @@
+package main
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+
+	"github.com/gorilla/mux"
+)
+
+// GetUsersHandler handles GET requests to /admin/user
+func GetUsersHandler(w http.ResponseWriter, r *http.Request) {
+	var users []User
+	db.Find(&users)
+	json.NewEncoder(w).Encode(users)
+}
+
+// CreateUserHandler handles POST requests to /admin/user
+func CreateUserHandler(w http.ResponseWriter, r *http.Request) {
+	var user User
+	err := json.NewDecoder(r.Body).Decode(&user)
+	if err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+	db.Create(&user)
+	json.NewEncoder(w).Encode(user)
+}
+
+// GetUserHandler handles GET requests to /admin/user/{id}
+func GetUserHandler(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id := vars["id"]
+	var user User
+	db.First(&user, id)
+	if user.ID == 0 {
+		http.Error(w, "User not found", http.StatusNotFound)
+		return
+	}
+	json.NewEncoder(w).Encode(user)
+}
+
+// DeleteUserHandler handles DELETE requests to /admin/user/{id}
+func DeleteUserHandler(w http.ResponseWriter, r *http.Request) {
+	vars := mux.Vars(r)
+	id := vars["id"]
+	var user User
+	db.First(&user, id)
+	if user.ID == 0 {
+		http.Error(w, "User not found", http.StatusNotFound)
+		return
+	}
+	db.Delete(&user)
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// BackupDatabaseHandler handles GET requests to /admin/db
+func BackupDatabaseHandler(w http.ResponseWriter, r *http.Request) {
+	// ...
+	fmt.Println("BackupDatabaseHandler called")
+	// Open the database file using the path from the config
+	file, err := os.Open(config.DatabasePath)
+	if err != nil {
+		http.Error(w, "Failed to open database file", http.StatusInternalServerError)
+		return
+	}
+	defer file.Close()
+
+	// Copy the file to the response writer
+	_, err = io.Copy(w, file)
+	if err != nil {
+		http.Error(w, "Failed to send database file", http.StatusInternalServerError)
+		return
+	}
+}
+
+// RestoreDatabaseHandler handles POST requests to /admin/db
+func RestoreDatabaseHandler(w http.ResponseWriter, r *http.Request) {
+	// implement database restore logic here
+	fmt.Println("Restoring database...")
+	// ...
+	w.WriteHeader(http.StatusOK)
+}
diff --git a/main.go b/main.go
index b5a9cdf..eb71c92 100644
--- a/main.go
+++ b/main.go
@@ -65,11 +65,22 @@ func main() {
 		Methods("POST").
 		Handler(AuthMiddleware(http.HandlerFunc(UploadItemImageHandler)))
 
+	managementRouter := router.PathPrefix("/admin").Subrouter()
+	managementRouter.Use(AuthMiddleware)
+
+	managementRouter.Handle("/user", http.HandlerFunc(GetUsersHandler)).Methods("GET", "OPTIONS")
+	managementRouter.Handle("/user", http.HandlerFunc(CreateUserHandler)).Methods("POST", "OPTIONS")
+	managementRouter.Handle("/user/{id}", http.HandlerFunc(GetUserHandler)).Methods("GET", "OPTIONS")
+	managementRouter.Handle("/user/{id}", http.HandlerFunc(DeleteUserHandler)).Methods("DELETE", "OPTIONS")
+	managementRouter.Handle("/db", http.HandlerFunc(BackupDatabaseHandler)).Methods("GET", "OPTIONS")
+	managementRouter.Handle("/db", http.HandlerFunc(RestoreDatabaseHandler)).Methods("POST", "OPTIONS")
+
 	// Apply CORS middleware
 	c := cors.New(cors.Options{
 		AllowedOrigins:   []string{"http://localhost:3000", "http://10.0.0.16:3000"}, // Change this to your frontend domain
 		AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
 		AllowedHeaders:   []string{"Authorization", "Content-Type"},
+		ExposedHeaders:   []string{"Content-Length", "Access-Control-Allow-Origin", "Access-Control-Allow-Headers", "Cache-Control", "Content-Language", "Content-Type", "Expires", "Last-Modified", "Pragma", "ETag"},
 		AllowCredentials: true,
 	})
 
diff --git a/scripts/backup_db.bash b/scripts/backup_db.bash
new file mode 100644
index 0000000..8da7f4d
--- /dev/null
+++ b/scripts/backup_db.bash
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+# API base URL
+API_BASE_URL="http://localhost:8080"
+
+# Login credentials
+USERNAME="boxuser"
+PASSWORD="boxuser"
+
+# Get a new JWT token
+TOKEN=$(curl -s -X POST -H "Content-Type: application/json" \
+  -d "{\"username\":\"$USERNAME\", \"password\":\"$PASSWORD\"}" \
+  "$API_BASE_URL/login" | jq -r '.token')
+
+curl -X GET \
+  $API_BASE_URL/admin/db  \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  --output ./test.db
\ No newline at end of file
diff --git a/scripts/deleteuser.bash b/scripts/deleteuser.bash
new file mode 100644
index 0000000..0ef180a
--- /dev/null
+++ b/scripts/deleteuser.bash
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+# API base URL
+API_BASE_URL="http://localhost:8080"
+
+# Login credentials
+USERNAME="boxuser"
+PASSWORD="boxuser"
+
+JSON_PAYLOAD='{
+    "username": "testuser", 
+    "password": "testuser"
+}'
+
+# Get a new JWT token
+TOKEN=$(curl -s -X POST -H "Content-Type: application/json" \
+  -d "{\"username\":\"$USERNAME\", \"password\":\"$PASSWORD\"}" \
+  "$API_BASE_URL/login" | jq -r '.token')
+
+curl -X DELETE \
+  $API_BASE_URL/admin/user/2  \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
\ No newline at end of file
diff --git a/scripts/getusers.bash b/scripts/getusers.bash
new file mode 100644
index 0000000..3440108
--- /dev/null
+++ b/scripts/getusers.bash
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# API base URL
+API_BASE_URL="http://localhost:8080"
+
+# Login credentials
+USERNAME="boxuser"
+PASSWORD="boxuser"
+
+# Get a new JWT token
+TOKEN=$(curl -s -X POST -H "Content-Type: application/json" \
+  -d "{\"username\":\"$USERNAME\", \"password\":\"$PASSWORD\"}" \
+  "$API_BASE_URL/login" | jq -r '.token')
+
+curl -X GET \
+  $API_BASE_URL/admin/user  \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json"
\ No newline at end of file
diff --git a/scripts/makeuser.bash b/scripts/makeuser.bash
new file mode 100644
index 0000000..b7a8c86
--- /dev/null
+++ b/scripts/makeuser.bash
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+# API base URL
+API_BASE_URL="http://localhost:8080"
+
+# Login credentials
+USERNAME="boxuser"
+PASSWORD="boxuser"
+
+JSON_PAYLOAD='{
+    "username": "testuser", 
+    "password": "testuser"
+}'
+
+# Get a new JWT token
+TOKEN=$(curl -s -X POST -H "Content-Type: application/json" \
+  -d "{\"username\":\"$USERNAME\", \"password\":\"$PASSWORD\"}" \
+  "$API_BASE_URL/login" | jq -r '.token')
+
+curl -X POST \
+  $API_BASE_URL/admin/user  \
+  -H "Authorization: Bearer $TOKEN" \
+  -H "Content-Type: application/json" \
+  -d "$JSON_PAYLOAD"
\ No newline at end of file
diff --git a/test.db b/test.db
new file mode 100644
index 0000000..b44d2ad
Binary files /dev/null and b/test.db differ