diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 0000000..9bb6a9a
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,13 @@
+.git
+.venv
+.pytest_cache
+.ruff_cache
+*.egg-info
+__pycache__
+*.pyc
+.env
+
+frontend/node_modules
+frontend/dist
+
+var
diff --git a/.env.example b/.env.example
index 964b0da..bbcc9a1 100644
--- a/.env.example
+++ b/.env.example
@@ -1,9 +1,14 @@
-GNEXUS_CREDS_ENV=development
-GNEXUS_CREDS_DATABASE_URL=postgresql+psycopg://gnexus_creds:gnexus_creds@localhost:5432/gnexus_creds
-GNEXUS_CREDS_MASTER_KEY=change-me-to-a-32-byte-url-safe-key
-GNEXUS_CREDS_SESSION_SECRET=change-me
-GNEXUS_AUTH_BASE_URL=http://gnexus-auth.local
-GNEXUS_AUTH_CLIENT_ID=gnexus-creds
-GNEXUS_AUTH_CLIENT_SECRET=change-me
-GNEXUS_AUTH_REDIRECT_URI=http://localhost:8000/auth/callback
-GNEXUS_AUTH_WEBHOOK_SECRET=change-me
+GNEXUS_CREDS_ENV=production
+GNEXUS_CREDS_DATABASE_URL=postgresql+psycopg://gnexus_creds:change-me@postgres:5432/gnexus_creds
+GNEXUS_CREDS_MASTER_KEY=replace-with-a-long-random-master-key
+GNEXUS_CREDS_SESSION_SECRET=replace-with-a-long-random-session-secret
+GNEXUS_CREDS_SESSION_COOKIE_NAME=gnexus_creds_session
+
+GNEXUS_AUTH_BASE_URL=https://auth.gnexus.space
+GNEXUS_AUTH_CLIENT_ID=replace-with-client-id
+GNEXUS_AUTH_CLIENT_SECRET=replace-with-client-secret
+GNEXUS_AUTH_REDIRECT_URI=https://creds.gnexus.space/auth/callback
+GNEXUS_AUTH_WEBHOOK_SECRET=replace-with-webhook-secret
+
+GNEXUS_CREDS_RATE_LIMIT_WINDOW_SECONDS=60
+GNEXUS_CREDS_RATE_LIMIT_MAX_SENSITIVE_REQUESTS=120
diff --git a/Dockerfile b/Dockerfile
index b3c5a8c..47410c9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,18 @@
+FROM node:22-bookworm-slim AS frontend
+
+WORKDIR /app/frontend
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends ca-certificates git \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY frontend/package*.json ./
+RUN npm ci
+
+COPY frontend ./
+RUN npm run build
+
+
 FROM python:3.13-slim AS runtime
 
 ENV PYTHONDONTWRITEBYTECODE=1 \
@@ -6,7 +21,7 @@
 WORKDIR /app
 
 RUN apt-get update \
-    && apt-get install -y --no-install-recommends git \
+    && apt-get install -y --no-install-recommends ca-certificates git \
     && rm -rf /var/lib/apt/lists/*
 
 COPY pyproject.toml README.md ./
@@ -16,6 +31,9 @@
 
 RUN pip install --no-cache-dir .
 
+COPY --from=frontend /app/frontend/dist ./frontend/dist
+COPY --from=frontend /app/frontend/node_modules/gnexus-ui-kit/dist/assets/fonts ./frontend/node_modules/gnexus-ui-kit/dist/assets/fonts
+
 EXPOSE 8000
 
 CMD ["uvicorn", "gnexus_creds.main:app", "--host", "0.0.0.0", "--port", "8000"]
diff --git a/README.md b/README.md
index 2422e18..ab14750 100644
--- a/README.md
+++ b/README.md
@@ -23,6 +23,12 @@
 uv run uvicorn gnexus_creds.main:app --reload
 ```
 
+For local PostgreSQL development:
+
+```env
+GNEXUS_CREDS_DATABASE_URL=postgresql+psycopg://gnexus_creds:gnexus_creds@127.0.0.1:5432/gnexus_creds
+```
+
 Health endpoints:
 
 ```text
@@ -62,7 +68,32 @@
 
 ## Docker
 
+Prepare a production env file from `.env.example`, then build the image:
+
 ```bash
 docker build -t gnexus-creds .
+```
+
+Apply migrations:
+
+```bash
+docker run --rm --env-file .env gnexus-creds alembic upgrade head
+```
+
+Start the app:
+
+```bash
 docker run --env-file .env -p 8000:8000 gnexus-creds
 ```
+
+Local compose stack with PostgreSQL:
+
+```bash
+docker compose up -d postgres
+docker compose run --rm app alembic upgrade head
+docker compose up -d app
+```
+
+The image includes the built Vue UI and serves it from FastAPI. The container
+does not run migrations automatically; run `alembic upgrade head` explicitly
+during deploy.
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..1f49d6e
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,27 @@
+services:
+  postgres:
+    image: postgres:18
+    environment:
+      POSTGRES_DB: gnexus_creds
+      POSTGRES_USER: gnexus_creds
+      POSTGRES_PASSWORD: gnexus_creds
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U gnexus_creds -d gnexus_creds"]
+      interval: 5s
+      timeout: 3s
+      retries: 20
+
+  app:
+    build: .
+    depends_on:
+      postgres:
+        condition: service_healthy
+    env_file:
+      - .env
+    ports:
+      - "8000:8000"
+
+volumes:
+  postgres-data:
diff --git a/frontend/src/App.vue b/frontend/src/App.vue
index 2efd4d1..893668a 100644
--- a/frontend/src/App.vue
+++ b/frontend/src/App.vue
@@ -1,5 +1,5 @@
 <script setup>
-import { computed, onMounted, reactive, ref } from "vue";
+import { computed, onMounted, reactive, ref, watch } from "vue";
 import {
   GnBadge,
   GnButton,
@@ -12,7 +12,7 @@
 
 import { api } from "./api";
 
-const tabs = [
+const baseTabs = [
   { id: "secrets", label: "Secrets" },
   { id: "history", label: "History" },
   { id: "audit", label: "Audit" },
@@ -42,6 +42,8 @@
 const importFile = ref(null);
 const importPreview = ref(null);
 const importError = ref("");
+const adminUsers = ref([]);
+const adminUsersTotal = ref(0);
 
 const form = reactive({
   title: "",
@@ -81,6 +83,9 @@
 });
 
 const visibleFields = computed(() => selected.value?.fields || []);
+const tabs = computed(() =>
+  me.value?.role === "admin" ? [...baseTabs, { id: "admin", label: "Admin" }] : baseTabs
+);
 const activeSecrets = computed(() => secrets.value.filter((secret) => !secret.archived).length);
 const mcpSecrets = computed(() => secrets.value.filter((secret) => secret.allow_mcp).length);
 
@@ -339,6 +344,13 @@
   await loadSecrets();
 }
 
+async function loadAdminUsers() {
+  activeTab.value = "admin";
+  const payload = await api.adminUsers({ limit: 50 });
+  adminUsers.value = payload.items;
+  adminUsersTotal.value = payload.total;
+}
+
 onMounted(async () => {
   try {
     me.value = await api.me();
@@ -347,6 +359,12 @@
     window.location.href = "/auth/login";
   }
 });
+
+watch(activeTab, (tab) => {
+  if (tab === "admin" && me.value?.role === "admin" && !adminUsers.value.length) {
+    loadAdminUsers();
+  }
+});
 </script>
 
 <template>
@@ -663,6 +681,39 @@
       </div>
     </section>
 
+    <section v-if="activeTab === 'admin' && me?.role === 'admin'" class="panel-stack admin-stack">
+      <div class="panel">
+        <div class="toolbar">
+          <h2>Users</h2>
+          <span class="muted">{{ adminUsersTotal }} records</span>
+          <GnButton @click="loadAdminUsers">Refresh</GnButton>
+        </div>
+        <div class="admin-grid admin-grid-head">
+          <span>User</span>
+          <span>Status</span>
+          <span>Role</span>
+          <span>Last seen</span>
+        </div>
+        <div v-for="user in adminUsers" :key="user.id" class="admin-grid">
+          <span>
+            <strong>{{ user.email }}</strong>
+            <small>{{ user.display_name || user.id }}</small>
+          </span>
+          <GnBadge :tone="user.status === 'enabled' ? 'success' : 'danger'">
+            {{ user.status }}
+          </GnBadge>
+          <GnBadge :tone="user.role === 'admin' ? 'warning' : 'info'">
+            {{ user.role }}
+          </GnBadge>
+          <small>{{ user.last_seen_at || "never" }}</small>
+        </div>
+        <div v-if="!adminUsers.length" class="empty-state">
+          <strong>No users loaded</strong>
+          <span>Use refresh to load gnexus-creds users.</span>
+        </div>
+      </div>
+    </section>
+
     <GnModal v-model="showDeleteConfirm" title="Delete all data">
       <p>This permanently removes all secrets and versions. Audit records remain.</p>
       <template #footer>
diff --git a/frontend/src/api.js b/frontend/src/api.js
index 606bf20..e2a075a 100644
--- a/frontend/src/api.js
+++ b/frontend/src/api.js
@@ -43,5 +43,9 @@
   exportData: () => request("/api/v1/export", { method: "POST" }),
   importData: (payload) =>
     request("/api/v1/import", { method: "POST", body: JSON.stringify(payload) }),
-  deleteAccountData: () => request("/api/v1/account-data", { method: "DELETE" })
+  deleteAccountData: () => request("/api/v1/account-data", { method: "DELETE" }),
+  adminUsers: (params = {}) => {
+    const query = new URLSearchParams(params);
+    return request(`/api/v1/admin/users?${query}`);
+  }
 };
diff --git a/frontend/src/styles.css b/frontend/src/styles.css
index 3d790a2..9d2850b 100644
--- a/frontend/src/styles.css
+++ b/frontend/src/styles.css
@@ -323,6 +323,39 @@
   max-width: 840px;
 }
 
+.admin-stack {
+  max-width: 1120px;
+}
+
+.admin-grid {
+  display: grid;
+  grid-template-columns: minmax(260px, 1fr) 120px 120px minmax(160px, 220px);
+  gap: 12px;
+  align-items: center;
+  padding: 11px 10px;
+  border-bottom: 1px solid #30384f;
+}
+
+.admin-grid > span {
+  min-width: 0;
+  display: grid;
+  gap: 4px;
+}
+
+.admin-grid strong,
+.admin-grid small {
+  min-width: 0;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+
+.admin-grid-head {
+  color: #9ba7cb;
+  font-size: 12px;
+  text-transform: uppercase;
+}
+
 .checks {
   display: flex;
   gap: 14px;
@@ -379,7 +412,8 @@
 
   .field-row,
   .secret-row,
-  .audit-row {
+  .audit-row,
+  .admin-grid {
     grid-template-columns: 1fr;
   }
 
diff --git a/gnexus_creds/auth.py b/gnexus_creds/auth.py
index b2810f7..c958230 100644
--- a/gnexus_creds/auth.py
+++ b/gnexus_creds/auth.py
@@ -8,7 +8,6 @@
 from gnexus_creds.db import get_db
 from gnexus_creds.errors import AppError
 from gnexus_creds.models import User
-from gnexus_creds.schemas import Scope
 from gnexus_creds.services import (
     Actor,
     authenticate_api_token,
@@ -58,7 +57,7 @@
 
 async def require_admin(actor: Actor = Depends(actor_from_request)) -> Actor:
     if actor.user.system_role != "admin":
-        actor.require(Scope.admin)
+        raise AppError("forbidden", "Admin role required.", status_code=403)
     return actor
 
 
diff --git a/tests/test_api.py b/tests/test_api.py
index 53fc6ab..98c4059 100644
--- a/tests/test_api.py
+++ b/tests/test_api.py
@@ -155,3 +155,20 @@
         assert {field["name"]: field["value"] for field in reveal_response.json()["fields"]}[
             "password"
         ] == "secret"
+
+
+@pytest.mark.anyio
+async def test_admin_users_requires_admin_role(app, actor):
+    actor.user.system_role = "user"
+    async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
+        response = await client.get("/api/v1/admin/users")
+    assert response.status_code == 403
+
+
+@pytest.mark.anyio
+async def test_admin_users_lists_users_for_admin(app):
+    async with AsyncClient(transport=ASGITransport(app=app), base_url="http://test") as client:
+        response = await client.get("/api/v1/admin/users")
+    assert response.status_code == 200
+    assert response.json()["total"] == 1
+    assert response.json()["items"][0]["email"] == "user@example.test"