diff --git a/docker-compose.example.yml b/docker-compose.example.yml
index b20cf16..665ee39 100644
--- a/docker-compose.example.yml
+++ b/docker-compose.example.yml
@@ -8,7 +8,8 @@ services:
     ports:
       - "28080:80" # Expose Web UI on host port 28080
     volumes:
-      - ./src/kohaku-hub-ui/dist:/usr/share/nginx/html # Mount the built frontend assets
+      - ./src/kohaku-hub-ui/dist:/usr/share/nginx/html # Mount the built main frontend assets
+      - ./src/kohaku-hub-admin/dist:/usr/share/nginx/html-admin # Mount the built admin frontend assets
       - ./docker/nginx/default.conf:/etc/nginx/conf.d/default.conf # Mount the Nginx configuration
     depends_on:
       - hub-api
@@ -58,6 +59,21 @@ services:
       - KOHAKU_HUB_SESSION_SECRET=change-this-to-random-string-in-production
       - KOHAKU_HUB_SESSION_EXPIRE_HOURS=168
       - KOHAKU_HUB_TOKEN_EXPIRE_DAYS=365
+      ## Admin API Configuration
+      - KOHAKU_HUB_ADMIN_ENABLED=true
+      - KOHAKU_HUB_ADMIN_SECRET_TOKEN=change-this-to-random-admin-token-in-production
+      # ## Storage Quota Configuration (NULL/unlimited = no limit)
+      # # Default quotas for new users
+      # - KOHAKU_HUB_DEFAULT_USER_PRIVATE_QUOTA_BYTES=unlimited  # Unlimited private storage for users
+      # - KOHAKU_HUB_DEFAULT_USER_PUBLIC_QUOTA_BYTES=unlimited   # Unlimited public storage for users
+      # # Default quotas for new organizations
+      # - KOHAKU_HUB_DEFAULT_ORG_PRIVATE_QUOTA_BYTES=unlimited   # Unlimited private storage for orgs
+      # - KOHAKU_HUB_DEFAULT_ORG_PUBLIC_QUOTA_BYTES=unlimited    # Unlimited public storage for orgs
+      # # Examples (uncomment and modify as needed):
+      - KOHAKU_HUB_DEFAULT_USER_PRIVATE_QUOTA_BYTES=10_000_000     # 10MB for user private repos
+      - KOHAKU_HUB_DEFAULT_USER_PUBLIC_QUOTA_BYTES=100_000_000      # 20MB for user public repos
+      - KOHAKU_HUB_DEFAULT_ORG_PRIVATE_QUOTA_BYTES=10_000_000      # 10MB for org private repos
+      - KOHAKU_HUB_DEFAULT_ORG_PUBLIC_QUOTA_BYTES=100_000_000      # 100MB for org public repos
     volumes:
       - ./hub-meta/hub-api:/hub-api-creds
 
diff --git a/docker/nginx/default.conf b/docker/nginx/default.conf
index 2fb2932..ccec658 100644
--- a/docker/nginx/default.conf
+++ b/docker/nginx/default.conf
@@ -27,7 +27,17 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
     }
 
-    # 2. Organization API endpoints (mounted at /org/)
+    # 2. Admin API endpoints (mounted at /admin/api/)
+    # Covers: /admin/api/users/*, /admin/api/quota/*, /admin/api/stats
+    location /admin/api/ {
+        proxy_pass http://hub-api:48888;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # 3. Organization API endpoints (mounted at /org/)
     # Covers: /org/create, /org/{name}, /org/{name}/members, /org/users/{username}/orgs
     location /org/ {
         proxy_pass http://hub-api:48888;
@@ -37,7 +47,7 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
     }
 
-    # 3. Git LFS endpoints
+    # 4. Git LFS endpoints
     # Covers: /{type}s/{namespace}/{name}.git/info/lfs/* and /{namespace}/{name}.git/info/lfs/*
     location ~ \.git/info/lfs/ {
         proxy_pass http://hub-api:48888;
@@ -50,7 +60,7 @@ server {
         client_body_buffer_size 128k;
     }
 
-    # 4. Public file resolution routes (no /api prefix)
+    # 5. Public file resolution routes (no /api prefix)
     # These are public-facing download endpoints
     # Pattern: /{type}s/{namespace}/{name}/resolve/{revision}/{path}
     location ~ ^/(models|datasets|spaces)/[^/]+/[^/]+/resolve/ {
@@ -61,7 +71,7 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
     }
 
-    # 5. Legacy public file resolution route (no /api prefix, no type prefix)
+    # 6. Legacy public file resolution route (no /api prefix, no type prefix)
     # Pattern: /{namespace}/{name}/resolve/{revision}/{path}
     # Must come AFTER the specific routes to avoid catching frontend routes
     location ~ ^/[^/]+/[^/]+/resolve/ {
@@ -74,10 +84,20 @@ server {
 
 
     # =================================================================
-    # FRONTEND SINGLE PAGE APP (SPA)
+    # ADMIN FRONTEND SPA
+    #
+    # Serve admin portal at /admin (before main SPA fallback)
+    # =================================================================
+    location /admin {
+        alias /usr/share/nginx/html-admin/;
+        try_files $uri $uri/ /admin/index.html;
+    }
+
+    # =================================================================
+    # MAIN FRONTEND SINGLE PAGE APP (SPA)
     #
     # This is the final fallback. If no API rule above matched,
-    # Nginx assumes it's a frontend route and serves the SPA.
+    # Nginx assumes it's a frontend route and serves the main SPA.
     # =================================================================
     location / {
         try_files $uri $uri/ /index.html;