diff --git a/apps/web/src/app/api/setup-admin/route.ts b/apps/web/src/app/api/setup-admin/route.ts
new file mode 100644
index 0000000..1991c0d
--- /dev/null
+++ b/apps/web/src/app/api/setup-admin/route.ts
@@ -0,0 +1,47 @@
+import { NextResponse } from 'next/server';
+import { createPrismaClient } from '@startover/database';
+import argon2 from 'argon2';
+
+const prisma = createPrismaClient();
+
+export async function POST(request: Request) {
+  const body = await request.json().catch(() => ({}));
+  const secret = body.secret as string | undefined;
+
+  // 간단한 보안: 비밀키 확인
+  if (secret !== 'startover-setup-2026') {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  const email = 'admin@admin.com';
+  const emailNormalized = email.toLowerCase().trim();
+
+  const existing = await prisma.user.findFirst({
+    where: { emailNormalized },
+  });
+
+  if (existing) {
+    // 이미 존재하면 비밀번호만 업데이트
+    const passwordHash = await argon2.hash('admin123');
+    await prisma.user.update({
+      where: { id: existing.id },
+      data: { passwordHash, status: 'ACTIVE', primaryRole: 'SUPER_ADMIN' },
+    });
+    return NextResponse.json({ message: 'Admin user updated', id: existing.id.toString() });
+  }
+
+  const passwordHash = await argon2.hash('admin123');
+  const user = await prisma.user.create({
+    data: {
+      email,
+      emailNormalized,
+      name: '운영자',
+      passwordHash,
+      primaryRole: 'SUPER_ADMIN',
+      status: 'ACTIVE',
+      emailVerifiedAt: new Date(),
+    },
+  });
+
+  return NextResponse.json({ message: 'Admin user created', id: user.id.toString() });
+}