diff --git a/www/_func.php b/www/_func.php
new file mode 100644
index 0000000..eeee87a
--- /dev/null
+++ b/www/_func.php
@@ -0,0 +1,70 @@
+<?php
+function registerFailedLogin(string $ip, $sql): void {
+    global $sql;
+    $entry = $sql->single(
+        "SELECT id, attempts
+         FROM admin_login_attempts
+         WHERE ip_address = ?",
+        "s",
+        [$ip]
+    );
+
+    if (!$entry) {
+        // Erster Fehlversuch
+        $sql->set(
+            "INSERT INTO admin_login_attempts (ip_address, attempts, last_attempt)
+             VALUES (?, 1, NOW())",
+            "s",
+            [$ip]
+        );
+        return;
+    }
+
+    $attempts = (int)$entry['attempts'] + 1;
+
+    if ($attempts >= 3) {
+        $sql->set(
+            "UPDATE admin_login_attempts
+             SET attempts = ?,
+                 locked_until = DATE_ADD(NOW(), INTERVAL 1 HOUR),
+                 last_attempt = NOW()
+             WHERE id = ?",
+            "ii",
+            [$attempts, $entry['id']]
+        );
+    } else {
+        $sql->set(
+            "UPDATE admin_login_attempts
+             SET attempts = ?,
+                 last_attempt = NOW()
+             WHERE id = ?",
+            "ii",
+            [$attempts, $entry['id']]
+        );
+    }
+}
+function isIpLocked(string $ip, $sql): bool {
+    global $sql;
+    $entry = $sql->single(
+        "SELECT locked_until
+         FROM admin_login_attempts
+         WHERE ip_address = ?
+           AND locked_until IS NOT NULL
+           AND locked_until > NOW()",
+        "s",
+        [$ip]
+    );
+
+    return (bool)$entry;
+}
+function clearLoginAttempts(string $ip, $sql): void {
+    global $sql;
+    $sql->set(
+        "DELETE FROM admin_login_attempts WHERE ip_address = ?",
+        "s",
+        [$ip]
+    );
+}
+
+
+?>
\ No newline at end of file
diff --git a/www/_sql.php b/www/_sql.php
index 474060f..16c5c8b 100644
--- a/www/_sql.php
+++ b/www/_sql.php
@@ -171,4 +171,6 @@ class SQL {
     // echo 'DESTROY';
   }
 }
+
+$sql = new SQL();
 ?>
\ No newline at end of file
diff --git a/www/admin.php b/www/admin.php
new file mode 100644
index 0000000..57386ea
--- /dev/null
+++ b/www/admin.php
@@ -0,0 +1,236 @@
+<?php
+require '_sql.php';
+require '_func.php';
+
+session_start([
+    'use_strict_mode' => true,
+    'cookie_httponly' => true
+]);
+
+$ip = $_SERVER['REMOTE_ADDR'];
+
+/**
+ * 🔒 IP-Sperre prüfen
+ */
+if (isIpLocked($ip, $sql)) {
+    http_response_code(403);
+    exit('Zu viele Fehlversuche. IP für 1 Stunde gesperrt.');
+}
+
+/**
+ * 🔐 LOGIN (wenn nicht eingeloggt)
+ */
+if (!($_SESSION['is_admin'] ?? false)) {
+
+    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+        $user = $_POST['username'] ?? '';
+        $pass = $_POST['password'] ?? '';
+
+        $admin = $sql->single(
+            "SELECT * FROM admin_users WHERE username = ?",
+            "s",
+            [$user]
+        );
+
+        if (!$admin || !password_verify($pass, $admin['password_hash'])) {
+            registerFailedLogin($ip, $sql);
+            $error = 'Ungültige Zugangsdaten';
+        } else {
+            clearLoginAttempts($ip, $sql);
+            $_SESSION['is_admin'] = true;
+            $_SESSION['admin_id'] = $admin['id'];
+            header('Location: admin.php');
+            exit;
+        }
+    }
+
+    // 🔑 Login-Formular
+    ?>
+    <!doctype html>
+    <html lang="de">
+    <head>
+        <meta charset="utf-8">
+        <title>Admin Login</title>
+        <style>
+            body { font-family: sans-serif; background:#0f172a; color:#e5e7eb; display:flex; height:100vh; align-items:center; justify-content:center; }
+            form { background:#020617; padding:2rem; border-radius:12px; width:300px; }
+            input, button { width:100%; padding:.6rem; margin-top:.75rem; }
+            button { background:#38bdf8; border:0; cursor:pointer; }
+            .err { color:#f87171; margin-top:.5rem; }
+        </style>
+    </head>
+    <body>
+        <form method="post">
+            <h2>Admin Login</h2>
+            <input name="username" placeholder="Benutzername" required>
+            <input name="password" type="password" placeholder="Passwort" required>
+            <button>Login</button>
+            <?php if (!empty($error)): ?>
+                <div class="err"><?= htmlspecialchars($error) ?></div>
+            <?php endif; ?>
+        </form>
+    </body>
+    </html>
+    <?php
+    exit;
+}
+
+/**
+ * ✅ AB HIER: ADMIN EINGELOGGT
+ */
+
+$uuid = $_GET['uuid'] ?? null;
+
+/**
+ * 🧩 UUID-Editor
+ */
+if ($uuid) {
+
+    // Token laden
+    $token = $sql->single(
+        "SELECT * FROM access_tokens WHERE uuid = ?",
+        "s",
+        [$uuid]
+    );
+
+    /**
+     * 🆕 UUID existiert noch nicht → an feste Identität hängen
+     */
+    if (!$token) {
+        $sql->set(
+            "INSERT INTO access_tokens (identity_id, uuid)
+             VALUES (1, ?)",
+            "s",
+            [$uuid]
+        );
+
+        $token = $sql->single(
+            "SELECT * FROM access_tokens WHERE uuid = ?",
+            "s",
+            [$uuid]
+        );
+    }
+
+    /**
+     * 🔄 Speichern
+     */
+    if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+        $issuedTo = $_POST['issued_to'] ?? '';
+        $fields   = $_POST['fields'] ?? [];
+
+        // Notiz speichern
+        $sql->set(
+            "UPDATE access_tokens SET notes = ? WHERE id = ?",
+            "si",
+            [$issuedTo, $token['id']]
+        );
+
+        // Rechte neu setzen
+        $sql->set(
+            "DELETE FROM token_permissions WHERE token_id = ?",
+            "i",
+            [$token['id']]
+        );
+
+        foreach ($fields as $key) {
+            $sql->set(
+                "INSERT INTO token_permissions (token_id, field_key)
+                 VALUES (?, ?)",
+                "is",
+                [$token['id'], $key]
+            );
+        }
+
+        $saved = true;
+    }
+
+    // Alle Felder der Identität
+    $allFields = $sql->get(
+        "SELECT DISTINCT field_key FROM identity_fields WHERE identity_id = ?",
+        "i",
+        [$token['identity_id']]
+    );
+
+    // Aktive Rechte
+    $allowed = $sql->get(
+        "SELECT field_key FROM token_permissions WHERE token_id = ?",
+        "i",
+        [$token['id']]
+    );
+
+    $allowedKeys = array_column($allowed, 'field_key');
+    ?>
+    <!doctype html>
+    <html lang="de">
+    <head>
+        <meta charset="utf-8">
+        <title>UUID bearbeiten</title>
+    </head>
+    <body>
+        <h1>UUID verwalten</h1>
+        <p><strong><?= htmlspecialchars($uuid) ?></strong></p>
+
+        <?php if (!empty($saved)) echo '<p>Gespeichert ✔</p>'; ?>
+
+        <form method="post">
+            <h3>Sichtbare Informationen</h3>
+
+            <?php foreach ($allFields as $f): ?>
+                <label>
+                    <input type="checkbox" name="fields[]" value="<?= htmlspecialchars($f['field_key']) ?>"
+                        <?= in_array($f['field_key'], $allowedKeys) ? 'checked' : '' ?>>
+                    <?= htmlspecialchars($f['field_key']) ?>
+                </label><br>
+            <?php endforeach; ?>
+
+            <h3>Ausgegeben an</h3>
+            <textarea name="issued_to" rows="4" cols="40"><?= htmlspecialchars($token['notes']) ?></textarea>
+
+            <br><br>
+            <button>Speichern</button>
+        </form>
+
+        <p><a href="admin.php">← Zurück</a></p>
+    </body>
+    </html>
+    <?php
+    exit;
+}
+
+/**
+ * 📊 ADMIN DASHBOARD
+ */
+$identities = $sql->get("SELECT * FROM identities ORDER BY id DESC");
+$tokens     = $sql->get("SELECT * FROM access_tokens ORDER BY created_at DESC");
+
+?>
+<!doctype html>
+<html lang="de">
+<head>
+    <meta charset="utf-8">
+    <title>Admin Dashboard</title>
+</head>
+<body>
+    <h1>Admin Dashboard</h1>
+
+    <h2>Identitäten</h2>
+    <ul>
+        <?php foreach ($identities as $i): ?>
+            <li>ID <?= $i['id'] ?></li>
+        <?php endforeach; ?>
+    </ul>
+
+    <h2>UUIDs</h2>
+    <ul>
+        <?php foreach ($tokens as $t): ?>
+            <li>
+                <a href="admin.php?uuid=<?= htmlspecialchars($t['uuid']) ?>">
+                    <?= htmlspecialchars($t['uuid']) ?>
+                </a>
+            </li>
+        <?php endforeach; ?>
+    </ul>
+
+    <p><a href="logout.php">Logout</a></p>
+</body>
+</html>
diff --git a/www/card.php b/www/card.php
index 1b651bc..8bbd78f 100644
--- a/www/card.php
+++ b/www/card.php
@@ -1,5 +1,6 @@
 <?php
 require '_sql.php';
+require '_func.php';
 
 $uuid = $_GET['uuid'] ?? null;
 if (!$uuid) {
diff --git a/www/download.php b/www/download.php
index 61fd922..988f7b8 100644
--- a/www/download.php
+++ b/www/download.php
@@ -1,5 +1,6 @@
 <?php
 require '_sql.php';
+require '_func.php';
 
 /**
  * Eingaben prüfen
