diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 00000000..a0be8bf4
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,298 @@
+# Agent Guidelines for github-actions-ci-dashboard
+
+## Project Overview
+
+A Kotlin-based GitHub Actions CI Dashboard for displaying build status on TV monitors. The application ingests GitHub webhook events and provides HTMX/Handlebars-based dashboards.
+
+**Stack:**
+- Kotlin with Java 21+
+- http4k framework for HTTP
+- PostgreSQL database with Jdbi and Flyway migrations
+- HTMX + Handlebars templating
+- Use BEM for css class naming. `block__element--modifier`. Vanilla CSS. The styling for the Dashboard resides in the `index.hbs` `<style>` block.
+- JUnit, MockK, AssertJ, RestAssured, Playwright for testing
+
+---
+
+## Build & Test Commands
+
+### Running Tests
+
+```bash
+# Run all tests (unit + integration + acceptance)
+mvn verify
+
+# Skip all tests
+mvn verify -DskipTests
+
+# Skip only integration/acceptance tests
+mvn verify -DskipITs
+
+# Run only unit tests
+mvn test
+```
+
+### Running a Single Test
+
+```bash
+# Run a specific test class
+mvn test -Dtest=WebhookSecretValidatorFilterTest
+
+# Run a specific test method
+mvn test -Dtest=WebhookSecretValidatorFilterTest#shouldValidateSecretUsingSha256
+
+# Run integration test
+mvn verify -Dtest=HealthApiTest
+
+# Run integration test method
+mvn verify -Dtest=HealthApiTest#healthShouldRespond200Ok
+```
+
+### Code Quality
+
+```bash
+# Check code style only
+mvn spotless:check
+
+# Apply code style fixes
+mvn spotless:apply
+```
+
+### Running the Application
+
+```bash
+# Start database
+docker-compose up -d db
+
+# Run from IntelliJ - use Main.kt
+# Or build and run:
+mvn package -DskipTests
+java -jar target/app.jar
+
+# Access at http://localhost:PORT/?token=TOKEN_HERE
+```
+
+---
+
+## Code Style Guidelines
+
+### Formatting
+
+- **Use ktfmt** with `META` style (from parent POM). Run `mvn spotless:apply` to auto-format.
+- Max line length follows default ktfmt (100 characters).
+- 2-space indentation for all files.
+
+### Naming Conventions
+
+- **Classes**: PascalCase (e.g., `DashboardConfigService`, `CiStatusRepo`)
+- **Functions/Methods**: camelCase (e.g., `getStatuses()`, `startApi()`)
+- **Properties/Variables**: camelCase (e.g., `val runningTasks`, `val config`)
+- **Constants**: `UPPER_SNAKE_CASE` (e.g., `DB_PASSWORD`)
+- **Packages**: lowercase, dotted (e.g., `no.liflig.cidashboard.webhook`)
+
+### Import Organization
+
+Imports follow the order (enforced by IDE and spotless):
+1. Kotlin standard library (`kotlin.*`)
+2. Third-party Java/Kotlin libraries (`org.*`, `com.*`)
+3. Project imports (`no.liflig.*`)
+
+Example:
+```kotlin
+package no.liflig.cidashboard.webhook
+
+import java.time.Instant
+import org.http4k.core.Method
+import org.http4k.core.Request
+import no.liflig.cidashboard.common.config.Config
+import no.liflig.cidashboard.persistence.CiStatus
+```
+
+### Types & Null Safety
+
+- Use Kotlin's null safety features (`?`, `?:`, `?.`, `let`)
+- Prefer `val` over `var`; use `var` only when mutation is required
+- Use explicit types for public API; type inference is acceptable for local variables
+- Avoid `Any`, `Any?` unless necessary
+- Use sealed classes for controlled hierarchies
+
+### Error Handling
+
+- Use custom Exceptions extending RuntimeException for operations that may fail, and try-catch in the caller.
+- Throw descriptive exceptions for programming errors
+- Return appropriate HTTP status codes in http4k handlers
+- Use the logging framework (`no.liflig.logging.getLogger()`) for error logging:
+  ```kotlin
+  private val log = getLogger()
+  log.error(error) {
+      field("webhook.id", webhook.id)
+      "Failed to process webhook: $error.message"
+  }
+  ```
+- Attach metadata to the logger MDC using `field(key, val)`. Key is the form of a json path. Val may be a `@Serializable` object and in those cases be json encoded in the log.
+
+### Kotlin Specific
+
+- Use Kotlin Data Classes or Value Classes for DTOs and value object
+- Use extension functions for adding functionality to existing classes
+- Avoid top-level functions; prefer classes so Dependency Injection and mocking is possible.
+- Use `object` for singletons
+- Use `companion object` for static class-level constants and factory methods
+- Use `@Serializable` for classes that can serialize to JSON. Add a `toJson` or `fromJson` companion method as required.
+
+---
+
+## Project Structure
+
+```
+src/
+├── main/
+│   ├── kotlin/no/liflig/cidashboard/
+│   │   ├── Main.kt              # Entry point
+│   │   ├── App.kt               # Application bootstrap
+│   │   ├── Api.kt               # HTTP routes
+│   │   ├── DashboardConfig.kt   # Configuration
+│   │   ├── admin/               # Admin endpoints (delete configs)
+│   │   ├── common/              # Shared utilities, config, serialization
+│   │   ├── dashboard/           # Dashboard UI endpoints
+│   │   ├── health/              # Health check endpoint
+│   │   ├── persistence/         # Database entities and repos
+│   │   ├── status_api/          # Status API for XBar
+│   │   └── webhook/             # Webhook ingestion
+│   └── resources/
+│       ├── handlebars-htmx-templates/  # .hbs templates
+│       └── db/migration/               # Flyway migrations
+└── test/
+    ├── kotlin/
+    │   ├── acceptancetests/      # Playwright UI tests
+    │   ├── no/liflig/...         # Unit & integration tests
+    │   └── test/util/            # Test utilities
+    └── http/                    # HTTP test files for IntelliJ. Local experimentation only
+```
+
+---
+
+## Testing Guidelines
+
+### Unit Tests
+
+- Use JUnit 6 (`org.junit.jupiter.api.*`)
+- Use MockK for mocking (`io.mockk.*`)
+- Use AssertJ for assertions (`org.assertj.core.api.Assertions.assertThat`)
+- Test names use backtick format and human readable sentences: `should validate secret using sha256`
+- Place tests in same package as class under test
+
+### Integration Tests
+
+- Mark with `@Integration` annotation
+- Use `AcceptanceTestExtension` for test infrastructure. Add it to the companion object with `@JvmStatic` and `@RegisterExtension`, then read from the extension using method and field access.
+- Use TestContainers for PostgreSQL
+- Use RestAssured for HTTP assertions
+- Use WireMock to simulate external APIs
+
+Example:
+```kotlin
+import test.util.Integration
+import test.util.IntegrationTest
+
+@Integration
+class HealthApiTest {
+  companion object {
+    @JvmField @RegisterExtension val infra = AcceptanceTestExtension()
+  }
+
+  @BeforeEach
+  fun setUp() {
+    RestAssured.port = infra.app.config.apiOptions.serverPort.value
+  }
+
+  @IntegrationTest
+  fun `health should respond 200 ok`() {
+    RestAssured.get("/health").then().assertThat().statusCode(200)
+  }
+}
+```
+
+### Acceptance Tests (Playwright)
+
+- Use Playwright for browser automation
+- Tests go in `acceptancetests` package
+- Use `tvBrowser` fixture for dashboard testing
+
+### Snapshot Testing
+
+- Use `liflig-snapshot-test` for snapshot-based testing
+- Regenerate failed snapshots: `maven verify -DREGENERATE_FAILED_SNAPSHOTS=true`
+
+---
+
+## Database
+
+- Use Jdbi for database access
+- Flyway for migrations (see `src/main/resources/db/migration`)
+- Follow existing naming: `camelCase` for columns, `snake_case` for tables in DB
+- Postgresql SQL dialect. Jsonb for the `data` column.
+
+---
+
+## HTTP API (http4k)
+
+- Use `org.http4k.core.*` for request/response handling
+- Define each HTTP endpoint as a file with Endpoint.kt suffix. The class should extend `org.http4k.core.HttpHandler` and `override fun invoke(request: Request)`.
+- Define routes in `Api.kt` with the HTTP path and the endpoint, in the `routes` call.
+- Use lenses for body parsing with kotlinx.serialization
+- Return appropriate status codes (200, 201, 400, 401, 404, 500)
+
+---
+
+## Common Tasks
+
+### Adding a New Endpoint
+
+1. Create handler in appropriate package (admin, dashboard, status\_api, webhook) or create a new package if this is a distinct feature.
+2. Register route in `Api.kt`
+3. Add test in `src/test/kotlin/no/liflig/cidashboard/`
+4. If this endpoint renders HTMX, add the Handlebars template to `src/main/resources/handlebars-htmx-templates/<PAGE-NAME-HERE>.hbs`. Any kotlin function that uses a Value Class in one of its parameters and is called by the handlebars template must be annotated with `@JvmName` to disable name mangling of functions. Otherwise, the handlebars renderer will complain that the function can not be found at runtime/rendering.
+5. If this endpoint renders HTMX, add the renderer in the Endpoint class. `useHotReload` is a constructor val.
+6. If this endpoint renders HTMX, add acceptance test with Playwright.
+
+```kt
+  private val renderer =
+      if (useHotReload) {
+        Renderer.hotReloading
+      } else {
+        Renderer.classpath
+      }
+
+  private val bodyLens = Body.viewModel(renderer, ContentType.TEXT_HTML).toLens()
+```
+
+### Adding a Database Table
+
+1. Create Flyway migration in `src/main/resources/db/migration/`. The file name MUST follow the flyway naming schema: `VX_Y__name_of_migration.sql` and X and Y must together for a `MAJOR_MINOR` version larger than any pre-existing migration.
+2. Create entity in `persistence/`
+3. Create repository for CRUD operations
+
+
+---
+
+## Configuration
+
+- Main config: `src/main/resources-filtered/application.properties`
+- Environment-specific: Use `overrides.properties` (create via `./init-local-env.sh`) in project directory.
+- Configuration classes in `common/config/`
+
+---
+
+## Useful Development Commands
+
+```bash
+# Test CSS changes with hot-reload
+# Start DevelopmentAid test and modify src/main/resources/handlebars-htmx-templates/index.hbs
+
+# View test HTTP requests
+# Use src/test/http/health.http or webhook.http in IntelliJ
+
+# Get the page contents after starting the server:
+# curl http://localhost:8080
+```
diff --git a/pom.xml b/pom.xml
index 50c86803..940c14ba 100644
--- a/pom.xml
+++ b/pom.xml
@@ -64,6 +64,7 @@
     <jdbi.version>3.51.0</jdbi.version>
     <flyway.version>12.0.1</flyway.version>
     <htmx-idiomorph.version>0.7.4</htmx-idiomorph.version>
+    <nimbus-jose-jwt.version>10.0.2</nimbus-jose-jwt.version>
 
     <!-- Test-dependencies -->
     <junit.version>6.0.3</junit.version>
@@ -72,9 +73,10 @@
     <rest-assured.version>6.0.0</rest-assured.version>
     <testcontainers.postgresql.version>1.21.4</testcontainers.postgresql.version>
     <playwright.version>1.58.0</playwright.version>
+    <wiremock-standalone.version>3.13.2</wiremock-standalone.version>
 
     <!-- Maven -->
-    <ktfmt.version>0.58</ktfmt.version>
+    <ktfmt.version>0.61</ktfmt.version>
     <jacoco-maven-plugin.version>0.8.14</jacoco-maven-plugin.version>
     <maven-failsafe-plugin.version>3.5.4</maven-failsafe-plugin.version>
     <maven-shade-plugin.version>3.6.1</maven-shade-plugin.version>
@@ -233,6 +235,17 @@
       <artifactId>http4k-template-handlebars</artifactId>
     </dependency>
 
+    <!-- Cognito OAuth-->
+    <dependency>
+      <groupId>org.http4k</groupId>
+      <artifactId>http4k-security-oauth</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>com.nimbusds</groupId>
+      <artifactId>nimbus-jose-jwt</artifactId>
+      <version>${nimbus-jose-jwt.version}</version>
+    </dependency>
+
     <dependency>
       <!-- HTMX static files -->
       <groupId>org.webjars.npm</groupId>
@@ -332,6 +345,13 @@
       <version>${playwright.version}</version>
       <scope>test</scope>
     </dependency>
+
+    <dependency>
+      <groupId>org.wiremock</groupId>
+      <artifactId>wiremock-standalone</artifactId>
+      <version>${wiremock-standalone.version}</version>
+      <scope>test</scope>
+    </dependency>
   </dependencies>
 
   <build>
diff --git a/src/main/kotlin/no/liflig/cidashboard/Api.kt b/src/main/kotlin/no/liflig/cidashboard/Api.kt
index 089b16ac..cf3217d4 100644
--- a/src/main/kotlin/no/liflig/cidashboard/Api.kt
+++ b/src/main/kotlin/no/liflig/cidashboard/Api.kt
@@ -1,9 +1,16 @@
 package no.liflig.cidashboard
 
+import no.liflig.cidashboard.admin.auth.CognitoAuthService
 import no.liflig.cidashboard.admin.config.DashboardConfigEndpoint
 import no.liflig.cidashboard.admin.config.DashboardConfigService
 import no.liflig.cidashboard.admin.database.DeleteCiStatusEndpoint
 import no.liflig.cidashboard.admin.database.DeleteDatabaseRowsService
+import no.liflig.cidashboard.admin.gui.AdminGuiService
+import no.liflig.cidashboard.admin.gui.AdminIndexEndpoint
+import no.liflig.cidashboard.admin.gui.CiStatusDeleteEndpoint
+import no.liflig.cidashboard.admin.gui.CiStatusListEndpoint
+import no.liflig.cidashboard.admin.gui.ConfigListEndpoint
+import no.liflig.cidashboard.admin.gui.IntegrationGuideEndpoint
 import no.liflig.cidashboard.common.config.ApiOptions
 import no.liflig.cidashboard.common.config.WebhookOptions
 import no.liflig.cidashboard.common.http4k.httpNoServerVersionHeader
@@ -21,6 +28,8 @@ import no.liflig.http4k.setup.LifligBasicApiSetup
 import no.liflig.http4k.setup.logging.LoggingFilter
 import org.http4k.contract.openapi.v3.ApiServer
 import org.http4k.core.Method
+import org.http4k.core.Response
+import org.http4k.core.Status
 import org.http4k.core.then
 import org.http4k.filter.ServerFilters
 import org.http4k.routing.ResourceLoader.Companion.Classpath
@@ -57,6 +66,9 @@ fun createApiServer(
 
   val indexEndpoint =
       IndexEndpoint(options.clientSecretToken, options.hotReloadTemplates, options.updatesPollRate)
+
+  val adminGuiRoutes: RoutingHttpHandler = createAdminGuiRoutes(services, options, webhookOptions)
+
   return coreFilters.then(
       routes(
           "/" bind Method.GET to indexEndpoint,
@@ -77,9 +89,6 @@ fun createApiServer(
               Method.GET to
               ServerFilters.BearerAuth(options.devtoolSecretToken.value)
                   .then(FetchStatusesEndpoint(services.filteredStatusesService)),
-          /*"/admin/nuke" bind
-          Method.POST to
-          DeleteAllDatabaseRowsEndpoint(services.deleteDatabaseRowsService),*/
           "/admin/delete" bind
               Method.DELETE to
               ServerFilters.BearerAuth(token = options.adminSecretToken.value)
@@ -88,12 +97,55 @@ fun createApiServer(
               Method.POST to
               ServerFilters.BearerAuth(token = options.adminSecretToken.value)
                   .then(DashboardConfigEndpoint(services.dashboardConfigService)),
+          adminGuiRoutes,
           static(Classpath("/static")),
           webJars(),
       )
   )
 }
 
+/** If admin gui is disabled or cognito is not configured, the `/admin` route returns 404. */
+private fun createAdminGuiRoutes(
+    services: ApiServices,
+    options: ApiOptions,
+    webhookOptions: WebhookOptions,
+): RoutingHttpHandler =
+    if (services.cognitoAuthService != null) {
+      routes(
+          "/admin/oauth/callback" bind Method.GET to services.cognitoAuthService.callbackHandler(),
+          "/admin" bind
+              routes(
+                      "/" bind Method.GET to AdminIndexEndpoint(),
+                      "/ci-statuses" bind
+                          Method.GET to
+                          CiStatusListEndpoint(
+                              services.adminGuiService,
+                              options.hotReloadTemplates,
+                          ),
+                      "/ci-statuses/{id}" bind
+                          Method.DELETE to
+                          CiStatusDeleteEndpoint(
+                              services.deleteDatabaseRowsService,
+                          ),
+                      "/integration" bind
+                          Method.GET to
+                          IntegrationGuideEndpoint(
+                              webhookOptions.secret,
+                              options.hotReloadTemplates,
+                          ),
+                      "/configs" bind
+                          Method.GET to
+                          ConfigListEndpoint(
+                              services.adminGuiService,
+                              options.hotReloadTemplates,
+                          ),
+                  )
+                  .withFilter(services.cognitoAuthService.authFilter()),
+      )
+    } else {
+      "/admin" bind Method.GET to { Response(Status.NOT_FOUND).body("Admin GUI not configured") }
+    }
+
 fun RoutingHttpHandler.asJettyServer(options: ApiOptions): Http4kServer =
     this.asServer(
         Jetty(options.serverPort.value, httpNoServerVersionHeader(options.serverPort.value))
@@ -107,4 +159,6 @@ data class ApiServices(
     val dashboardConfigService: DashboardConfigService,
     val deleteDatabaseRowsService: DeleteDatabaseRowsService,
     val filteredStatusesService: FilteredStatusesService,
+    val adminGuiService: AdminGuiService,
+    val cognitoAuthService: CognitoAuthService?,
 )
diff --git a/src/main/kotlin/no/liflig/cidashboard/App.kt b/src/main/kotlin/no/liflig/cidashboard/App.kt
index 5017e7d3..0d9f8573 100644
--- a/src/main/kotlin/no/liflig/cidashboard/App.kt
+++ b/src/main/kotlin/no/liflig/cidashboard/App.kt
@@ -1,8 +1,10 @@
 package no.liflig.cidashboard
 
+import no.liflig.cidashboard.admin.auth.CognitoAuthService
 import no.liflig.cidashboard.admin.config.DashboardConfigService
 import no.liflig.cidashboard.admin.config.JdbiDashboardConfigTransaction
 import no.liflig.cidashboard.admin.database.DeleteDatabaseRowsService
+import no.liflig.cidashboard.admin.gui.AdminGuiService
 import no.liflig.cidashboard.common.config.Config
 import no.liflig.cidashboard.common.database.DatabaseConfigurator
 import no.liflig.cidashboard.common.database.DbPassword
@@ -16,10 +18,11 @@ import no.liflig.cidashboard.status_api.FilteredStatusesService
 import no.liflig.cidashboard.webhook.IncomingWebhookService
 import no.liflig.cidashboard.webhook.JdbiCiStatusTransaction
 import no.liflig.logging.getLogger
+import org.http4k.client.JavaHttpClient
 import org.jdbi.v3.core.Jdbi
 
 /**
- * The main entry point for the application. Should be started from [Main].
+ * The main entry point for the application. Should be started from [main].
  *
  * @param config any options like ports and urls should be set here. Override values in the config
  *   when doing testing of [App].
@@ -60,6 +63,20 @@ class App(val config: Config) {
         )
     val dashboardConfigService = DashboardConfigService(JdbiDashboardConfigTransaction(jdbi))
 
+    val adminGuiService =
+        AdminGuiService(
+            ciStatusRepo = JdbiCiStatusDatabaseHandle(jdbi),
+            configRepo = JdbiDashboardConfigDatabaseHandle(jdbi),
+        )
+
+    val cognitoAuthService =
+        config.cognitoConfig?.let { cognitoConfig ->
+          CognitoAuthService(
+              config = cognitoConfig,
+              httpClient = JavaHttpClient(),
+          )
+        }
+
     val services =
         ApiServices(
             healthService,
@@ -68,6 +85,8 @@ class App(val config: Config) {
             dashboardConfigService,
             DeleteDatabaseRowsService(JdbiCiStatusDatabaseHandle(jdbi)),
             FilteredStatusesService(JdbiCiStatusDatabaseHandle(jdbi)),
+            adminGuiService,
+            cognitoAuthService,
         )
 
     val server =
diff --git a/src/main/kotlin/no/liflig/cidashboard/admin/auth/CognitoAuthService.kt b/src/main/kotlin/no/liflig/cidashboard/admin/auth/CognitoAuthService.kt
new file mode 100644
index 00000000..c93367b4
--- /dev/null
+++ b/src/main/kotlin/no/liflig/cidashboard/admin/auth/CognitoAuthService.kt
@@ -0,0 +1,106 @@
+package no.liflig.cidashboard.admin.auth
+
+import java.net.URI
+import no.liflig.cidashboard.common.config.CognitoConfig
+import no.liflig.logging.getLogger
+import org.http4k.core.Filter
+import org.http4k.core.HttpHandler
+import org.http4k.core.Request
+import org.http4k.core.Response
+import org.http4k.core.Status
+import org.http4k.core.Uri
+import org.http4k.core.then
+import org.http4k.core.with
+import org.http4k.lens.RequestKey
+import org.http4k.lens.RequestLens
+import org.http4k.security.InsecureCookieBasedOAuthPersistence
+import org.http4k.security.OAuthPersistence
+import org.http4k.security.OAuthProvider
+
+class CognitoAuthService(
+    config: CognitoConfig,
+    httpClient: HttpHandler,
+) {
+  private val log = getLogger()
+
+  private val bypassEnabled: Boolean = config.bypassEnabled
+  private val requiredGroup: String = config.requiredGroup
+
+  private val jwtValidator =
+      CognitoJwtValidator(
+          jwksUrl = URI(config.jwksUrl).toURL(),
+          clientId = config.clientId,
+          issuerUrl = config.issuerUrl,
+      )
+  private val persistence: OAuthPersistence = InsecureCookieBasedOAuthPersistence("cognito")
+
+  private val callbackUri: Uri = Uri.of("${config.appBaseUrl}/admin/oauth/callback")
+  private val oAuthProvider: OAuthProvider =
+      CognitoOAuthProvider.create(
+          domain = config.domain,
+          region = config.region,
+          authBaseUrl = config.authBaseUrl,
+          clientId = config.clientId,
+          clientSecret = config.clientSecret,
+          scopes = listOf("openid", "email", "profile"),
+          callbackUri = callbackUri,
+          persistence = persistence,
+          http = httpClient,
+      )
+
+  fun authFilter(): Filter = Filter { next ->
+    { request ->
+      if (bypassEnabled) {
+        log.debug { "Cognito auth bypass enabled - skipping authentication" }
+        return@Filter next(request.setUser(bypassUser()))
+      }
+
+      val accessToken = persistence.retrieveToken(request)
+
+      if (accessToken == null) {
+        log.debug { "No access token found - delegating to OAuth provider for redirect" }
+        return@Filter oAuthProvider.authFilter.then(next)(request)
+      }
+
+      val user = jwtValidator.validate(accessToken.value)
+
+      if (user == null) {
+        log.debug { "Invalid access token - delegating to OAuth provider for redirect" }
+        return@Filter oAuthProvider.authFilter.then(next)(request)
+      }
+
+      if (!user.groups.contains(requiredGroup)) {
+        log.warn {
+          field("user.username", user.username)
+          field("user.groups", user.groups)
+          field("required.group", requiredGroup)
+          "User does not have required group"
+        }
+        return@Filter Response(Status.FORBIDDEN)
+            .body("Access denied. Required group: $requiredGroup")
+      }
+
+      next(request.setUser(user))
+    }
+  }
+
+  fun callbackHandler(): HttpHandler = oAuthProvider.callback
+
+  private fun bypassUser(): CognitoUser =
+      CognitoUser(
+          username = "bypass-user",
+          email = "bypass@localhost",
+          groups = listOf(requiredGroup),
+      )
+
+  companion object {
+    private val userKey: RequestLens<CognitoUser?> = RequestKey.optional("cognitoUser")
+
+    internal fun Request.setUser(user: CognitoUser): Request = with(userKey of user)
+
+    fun cognitoUser(request: Request): CognitoUser? = userKey(request)
+
+    fun requireCognitoUser(request: Request): CognitoUser =
+        cognitoUser(request) ?: throw IllegalStateException("No Cognito user in request context")
+  }
+}
diff --git a/src/main/kotlin/no/liflig/cidashboard/admin/auth/CognitoJwtValidator.kt b/src/main/kotlin/no/liflig/cidashboard/admin/auth/CognitoJwtValidator.kt
new file mode 100644
index 00000000..9adbcd86
--- /dev/null
+++ b/src/main/kotlin/no/liflig/cidashboard/admin/auth/CognitoJwtValidator.kt
@@ -0,0 +1,88 @@
+package no.liflig.cidashboard.admin.auth
+
+import com.nimbusds.jose.JWSAlgorithm
+import com.nimbusds.jose.jwk.source.JWKSourceBuilder
+import com.nimbusds.jose.proc.JWSVerificationKeySelector
+import com.nimbusds.jose.proc.SecurityContext
+import com.nimbusds.jwt.JWTClaimsSet
+import com.nimbusds.jwt.proc.ConfigurableJWTProcessor
+import com.nimbusds.jwt.proc.DefaultJWTProcessor
+import java.net.URL
+import no.liflig.logging.getLogger
+
+data class CognitoUser(
+    val username: String,
+    val email: String?,
+    val groups: List<String>,
+)
+
+class CognitoJwtValidator(
+    private val jwksUrl: URL,
+    private val clientId: String,
+    private val issuerUrl: String,
+) {
+  private val log = getLogger()
+
+  private val jwtProcessor: ConfigurableJWTProcessor<SecurityContext> =
+      DefaultJWTProcessor<SecurityContext>().apply {
+        val jwkSource = JWKSourceBuilder.create<SecurityContext>(jwksUrl).build()
+        val keySelector = JWSVerificationKeySelector(JWSAlgorithm.RS256, jwkSource)
+        setJWSKeySelector(keySelector)
+      }
+
+  fun validate(token: String): CognitoUser? {
+    return try {
+      val claims = jwtProcessor.process(token, null)
+      validateClaims(claims)?.let { user ->
+        log.debug {
+          field("cognito.username", user.username)
+          field("cognito.groups", user.groups)
+          "Validated Cognito JWT"
+        }
+        user
+      }
+    } catch (e: Exception) {
+      log.warn(e) { "Failed to validate Cognito JWT" }
+      null
+    }
+  }
+
+  private fun validateClaims(claims: JWTClaimsSet): CognitoUser? {
+    val issuer = claims.issuer
+    if (issuer != issuerUrl) {
+      log.warn {
+        field("expected.issuer", issuerUrl)
+        field("actual.issuer", issuer)
+        "JWT issuer mismatch"
+      }
+      return null
+    }
+
+    val audience = claims.audience
+    if (!audience.contains(clientId)) {
+      log.warn {
+        field("expected.audience", clientId)
+        field("actual.audience", audience)
+        "JWT audience mismatch"
+      }
+      return null
+    }
+
+    val expirationTime = claims.expirationTime
+    if (expirationTime != null && expirationTime.before(java.util.Date())) {
+      log.warn { "JWT has expired" }
+      return null
+    }
+
+    val username = claims.getClaim("cognito:username") as? String ?: claims.subject
+    val email = claims.getClaim("email") as? String
+
+    @Suppress("UNCHECKED_CAST")
+    val groups =
+        (claims.getClaim("cognito:groups") as? List<String>)
+            ?: (claims.getClaim("custom:groups") as? List<String>)
+            ?: emptyList()
+
+    return CognitoUser(username = username, email = email, groups = groups)
+  }
+}
diff --git a/src/main/kotlin/no/liflig/cidashboard/admin/auth/CognitoOAuthProvider.kt b/src/main/kotlin/no/liflig/cidashboard/admin/auth/CognitoOAuthProvider.kt
new file mode 100644
index 00000000..4daf56f7
--- /dev/null
+++ b/src/main/kotlin/no/liflig/cidashboard/admin/auth/CognitoOAuthProvider.kt
@@ -0,0 +1,47 @@
+package no.liflig.cidashboard.admin.auth
+
+import no.liflig.logging.getLogger
+import org.http4k.core.Credentials
+import org.http4k.core.HttpHandler
+import org.http4k.core.Uri
+import org.http4k.security.OAuthPersistence
+import org.http4k.security.OAuthProvider
+import org.http4k.security.OAuthProviderConfig
+
+object CognitoOAuthProvider {
+  private val log = getLogger()
+
+  fun create(
+      domain: String,
+      region: String,
+      authBaseUrl: String,
+      clientId: String,
+      clientSecret: String,
+      scopes: List<String>,
+      callbackUri: Uri,
+      persistence: OAuthPersistence,
+      http: HttpHandler,
+  ): OAuthProvider {
+    log.info {
+      field("cognito.domain", domain)
+      field("cognito.region", region)
+      "Creating Cognito OAuth provider"
+    }
+
+    val providerConfig =
+        OAuthProviderConfig(
+            authBase = Uri.of(authBaseUrl),
+            authPath = "/oauth2/authorize",
+            tokenPath = "/oauth2/token",
+            credentials = Credentials(clientId, clientSecret),
+        )
+
+    return OAuthProvider(
+        providerConfig,
+        http,
+        callbackUri,
+        scopes,
+        persistence,
+    )
+  }
+}
diff --git a/src/main/kotlin/no/liflig/cidashboard/admin/gui/AdminGuiService.kt b/src/main/kotlin/no/liflig/cidashboard/admin/gui/AdminGuiService.kt
new file mode 100644
index 00000000..d1096b0f
--- /dev/null
+++ b/src/main/kotlin/no/liflig/cidashboard/admin/gui/AdminGuiService.kt
@@ -0,0 +1,41 @@
+package no.liflig.cidashboard.admin.gui
+
+import java.time.ZoneId
+import java.time.format.DateTimeFormatter
+import no.liflig.cidashboard.dashboard.UseCiStatusRepo
+import no.liflig.cidashboard.dashboard.UseDashboardConfigRepo
+
+class AdminGuiService(
+    private val ciStatusRepo: UseCiStatusRepo<List<CiStatusRow>>,
+    private val configRepo: UseDashboardConfigRepo<List<ConfigRow>>,
+) {
+  private val dateFormatter =
+      DateTimeFormatter.ofPattern("yyyy-MM-dd HH:mm").withZone(ZoneId.systemDefault())
+
+  fun getCiStatuses(): List<CiStatusRow> {
+    return ciStatusRepo { repo ->
+      repo.getAll().map { status ->
+        CiStatusRow(
+            id = status.id.value,
+            repoOwner = status.repo.owner.value,
+            repoName = status.repo.name.value,
+            branch = status.branch.value,
+            status = status.lastStatus.name,
+            lastUpdated = dateFormatter.format(status.lastUpdatedAt),
+        )
+      }
+    }
+  }
+
+  fun getConfigs(): List<ConfigRow> {
+    return configRepo { repo ->
+      repo.getAll().map { config ->
+        ConfigRow(
+            id = config.id.value,
+            displayName = config.displayName,
+            orgMatchers = config.orgMatchers.joinToString(", ") { it.matcher.pattern },
+        )
+      }
+    }
+  }
+}
diff --git a/src/main/kotlin/no/liflig/cidashboard/admin/gui/AdminIndexEndpoint.kt b/src/main/kotlin/no/liflig/cidashboard/admin/gui/AdminIndexEndpoint.kt
new file mode 100644
index 00000000..7c0c7ee8
--- /dev/null
+++ b/src/main/kotlin/no/liflig/cidashboard/admin/gui/AdminIndexEndpoint.kt
@@ -0,0 +1,14 @@
+package no.liflig.cidashboard.admin.gui
+
+import no.liflig.cidashboard.admin.auth.CognitoAuthService
+import org.http4k.core.HttpHandler
+import org.http4k.core.Request
+import org.http4k.core.Response
+import org.http4k.core.Status
+
+class AdminIndexEndpoint : HttpHandler {
+  override fun invoke(request: Request): Response {
+    CognitoAuthService.requireCognitoUser(request)
+    return Response(Status.FOUND).header("Location", "/admin/ci-statuses")
+  }
+}
diff --git a/src/main/kotlin/no/liflig/cidashboard/admin/gui/AdminRenderer.kt b/src/main/kotlin/no/liflig/cidashboard/admin/gui/AdminRenderer.kt
new file mode 100644
index 00000000..40976da6
--- /dev/null
+++ b/src/main/kotlin/no/liflig/cidashboard/admin/gui/AdminRenderer.kt
@@ -0,0 +1,31 @@
+package no.liflig.cidashboard.admin.gui
+
+import com.github.jknack.handlebars.Handlebars
+import com.github.jknack.handlebars.cache.ConcurrentMapTemplateCache
+import com.github.jknack.handlebars.cache.NullTemplateCache
+import com.github.jknack.handlebars.helper.StringHelpers
+import no.liflig.cidashboard.dashboard.CustomHelpers
+import no.liflig.cidashboard.dashboard.MissingHelper
+import no.liflig.cidashboard.dashboard.Renderer
+import org.http4k.template.HandlebarsTemplates
+import org.http4k.template.TemplateRenderer
+
+object AdminRenderer {
+  private val handlebarsConfig: (Handlebars) -> Handlebars = { handlebars ->
+    handlebars
+        .prettyPrint(true)
+        .registerHelperMissing(MissingHelper)
+        .registerHelpers(CustomHelpers)
+        .registerHelpers(StringHelpers::class.java)
+  }
+
+  val hotReloading: TemplateRenderer by lazy {
+    HandlebarsTemplates { handlebarsConfig(it).with(NullTemplateCache.INSTANCE) }
+        .HotReload("src/main/resources/${Renderer.TEMPLATE_DIR}")
+  }
+
+  val classpath: TemplateRenderer by lazy {
+    HandlebarsTemplates { handlebarsConfig(it).with(ConcurrentMapTemplateCache()) }
+        .CachingClasspath(Renderer.TEMPLATE_DIR)
+  }
+}
diff --git a/src/main/kotlin/no/liflig/cidashboard/admin/gui/AdminViewModels.kt b/src/main/kotlin/no/liflig/cidashboard/admin/gui/AdminViewModels.kt
new file mode 100644
index 00000000..1a0b3785
--- /dev/null
+++ b/src/main/kotlin/no/liflig/cidashboard/admin/gui/AdminViewModels.kt
@@ -0,0 +1,53 @@
+package no.liflig.cidashboard.admin.gui
+
+import no.liflig.cidashboard.admin.auth.CognitoUser
+import no.liflig.cidashboard.common.http4k.Webjars
+import org.http4k.template.ViewModel
+
+data class CiStatusListPage(
+    val title: String,
+    val user: CognitoUser,
+    val activePage: String,
+    val statuses: List<CiStatusRow>,
+) : ViewModel {
+  val htmxVersion: String = Webjars.htmxVersion
+
+  override fun template(): String = "admin-ci-statuses"
+}
+
+data class CiStatusRow(
+    val id: String,
+    val repoOwner: String,
+    val repoName: String,
+    val branch: String,
+    val status: String,
+    val lastUpdated: String,
+)
+
+data class IntegrationGuidePage(
+    val title: String,
+    val user: CognitoUser,
+    val activePage: String,
+    val webhookSecret: String,
+) : ViewModel {
+  val htmxVersion: String = Webjars.htmxVersion
+
+  override fun template(): String = "admin-integration"
+}
+
+data class ConfigListPage(
+    val title: String,
+    val user: CognitoUser,
+    val activePage: String,
+    val configs: List<ConfigRow>,
+) : ViewModel {
+  val htmxVersion: String = Webjars.htmxVersion
+
+  override fun template(): String = "admin-configs"
+}
+
+data class ConfigRow(
+    val id: String,
+    val displayName: String,
+    val orgMatchers: String,
+)
diff --git a/src/main/kotlin/no/liflig/cidashboard/admin/gui/CiStatusDeleteEndpoint.kt b/src/main/kotlin/no/liflig/cidashboard/admin/gui/CiStatusDeleteEndpoint.kt
new file mode 100644
index 00000000..235a56f9
--- /dev/null
+++ b/src/main/kotlin/no/liflig/cidashboard/admin/gui/CiStatusDeleteEndpoint.kt
@@ -0,0 +1,34 @@
+package no.liflig.cidashboard.admin.gui
+
+import no.liflig.cidashboard.admin.auth.CognitoAuthService
+import no.liflig.cidashboard.admin.database.DeleteDatabaseRowsService
+import no.liflig.cidashboard.persistence.CiStatusId
+import no.liflig.logging.getLogger
+import org.http4k.core.HttpHandler
+import org.http4k.core.Request
+import org.http4k.core.Response
+import org.http4k.core.Status
+import org.http4k.lens.Path
+
+class CiStatusDeleteEndpoint(
+    private val deleteService: DeleteDatabaseRowsService,
+) : HttpHandler {
+
+  private val logger = getLogger()
+  private val idLens = Path.of("id")
+
+  override fun invoke(request: Request): Response {
+    val user = CognitoAuthService.requireCognitoUser(request)
+
+    val id = CiStatusId(idLens(request))
+    deleteService.deleteById(id)
+
+    logger.info {
+      field("user", user.username)
+      field("repo.id", id)
+      "Repo deleted: $id"
+    }
+
+    return Response(Status.OK)
+  }
+}
diff --git a/src/main/kotlin/no/liflig/cidashboard/admin/gui/CiStatusListEndpoint.kt b/src/main/kotlin/no/liflig/cidashboard/admin/gui/CiStatusListEndpoint.kt
new file mode 100644
index 00000000..cf3fc30d
--- /dev/null
+++ b/src/main/kotlin/no/liflig/cidashboard/admin/gui/CiStatusListEndpoint.kt
@@ -0,0 +1,35 @@
+package no.liflig.cidashboard.admin.gui
+
+import no.liflig.cidashboard.admin.auth.CognitoAuthService
+import org.http4k.core.Body
+import org.http4k.core.ContentType
+import org.http4k.core.HttpHandler
+import org.http4k.core.Request
+import org.http4k.core.Response
+import org.http4k.core.Status
+import org.http4k.core.with
+import org.http4k.template.viewModel
+
+class CiStatusListEndpoint(
+    private val service: AdminGuiService,
+    useHotReload: Boolean,
+) : HttpHandler {
+
+  private val renderer = if (useHotReload) AdminRenderer.hotReloading else AdminRenderer.classpath
+  private val bodyLens = Body.viewModel(renderer, ContentType.TEXT_HTML).toLens()
+
+  override fun invoke(request: Request): Response {
+    val user = CognitoAuthService.requireCognitoUser(request)
+    val statuses = service.getCiStatuses()
+
+    val page =
+        CiStatusListPage(
+            title = "CI Statuses",
+            user = user,
+            activePage = "ci-statuses",
+            statuses = statuses,
+        )
+
+    return Response(Status.OK).with(bodyLens of page)
+  }
+}
diff --git a/src/main/kotlin/no/liflig/cidashboard/admin/gui/ConfigListEndpoint.kt b/src/main/kotlin/no/liflig/cidashboard/admin/gui/ConfigListEndpoint.kt
new file mode 100644
index 00000000..1b2cae57
--- /dev/null
+++ b/src/main/kotlin/no/liflig/cidashboard/admin/gui/ConfigListEndpoint.kt
@@ -0,0 +1,35 @@
+package no.liflig.cidashboard.admin.gui
+
+import no.liflig.cidashboard.admin.auth.CognitoAuthService
+import org.http4k.core.Body
+import org.http4k.core.ContentType
+import org.http4k.core.HttpHandler
+import org.http4k.core.Request
+import org.http4k.core.Response
+import org.http4k.core.Status
+import org.http4k.core.with
+import org.http4k.template.viewModel
+
+class ConfigListEndpoint(
+    private val service: AdminGuiService,
+    useHotReload: Boolean,
+) : HttpHandler {
+
+  private val renderer = if (useHotReload) AdminRenderer.hotReloading else AdminRenderer.classpath
+  private val bodyLens = Body.viewModel(renderer, ContentType.TEXT_HTML).toLens()
+
+  override fun invoke(request: Request): Response {
+    val user = CognitoAuthService.requireCognitoUser(request)
+    val configs = service.getConfigs()
+
+    val page =
+        ConfigListPage(
+            title = "Dashboard Configurations",
+            user = user,
+            activePage = "configs",
+            configs = configs,
+        )
+
+    return Response(Status.OK).with(bodyLens of page)
+  }
+}
diff --git a/src/main/kotlin/no/liflig/cidashboard/admin/gui/IntegrationGuideEndpoint.kt b/src/main/kotlin/no/liflig/cidashboard/admin/gui/IntegrationGuideEndpoint.kt
new file mode 100644
index 00000000..54be3643
--- /dev/null
+++ b/src/main/kotlin/no/liflig/cidashboard/admin/gui/IntegrationGuideEndpoint.kt
@@ -0,0 +1,35 @@
+package no.liflig.cidashboard.admin.gui
+
+import no.liflig.cidashboard.admin.auth.CognitoAuthService
+import no.liflig.cidashboard.common.config.WebhookOptions
+import org.http4k.core.Body
+import org.http4k.core.ContentType
+import org.http4k.core.HttpHandler
+import org.http4k.core.Request
+import org.http4k.core.Response
+import org.http4k.core.Status
+import org.http4k.core.with
+import org.http4k.template.viewModel
+
+class IntegrationGuideEndpoint(
+    private val webhookSecret: WebhookOptions.Secret,
+    useHotReload: Boolean,
+) : HttpHandler {
+
+  private val renderer = if (useHotReload) AdminRenderer.hotReloading else AdminRenderer.classpath
+  private val bodyLens = Body.viewModel(renderer, ContentType.TEXT_HTML).toLens()
+
+  override fun invoke(request: Request): Response {
+    val user = CognitoAuthService.requireCognitoUser(request)
+
+    val page =
+        IntegrationGuidePage(
+            title = "Integration Guide",
+            user = user,
+            activePage = "integration",
+            webhookSecret = webhookSecret.value,
+        )
+
+    return Response(Status.OK).with(bodyLens of page)
+  }
+}
diff --git a/src/main/kotlin/no/liflig/cidashboard/common/config/CognitoConfig.kt b/src/main/kotlin/no/liflig/cidashboard/common/config/CognitoConfig.kt
new file mode 100644
index 00000000..d5924ae4
--- /dev/null
+++ b/src/main/kotlin/no/liflig/cidashboard/common/config/CognitoConfig.kt
@@ -0,0 +1,80 @@
+package no.liflig.cidashboard.common.config
+
+import java.util.Properties
+import no.liflig.logging.getLogger
+import no.liflig.properties.booleanRequired
+import no.liflig.properties.stringNotEmpty
+import no.liflig.properties.stringNotNull
+import software.amazon.awssdk.regions.Region
+
+data class CognitoConfig(
+    val userPoolId: String,
+    val clientId: String,
+    val clientSecret: String,
+    val domain: String,
+    val region: String,
+    val requiredGroup: String,
+    val bypassEnabled: Boolean,
+    val issuerUrlOverride: String? = null,
+    val authBaseOverride: String? = null,
+    val appBaseUrl: String,
+) {
+  val issuerUrl: String
+    get() = issuerUrlOverride ?: "https://cognito-idp.$region.amazonaws.com/$userPoolId"
+
+  val jwksUrl: String
+    get() = "$issuerUrl/.well-known/jwks.json"
+
+  val authBaseUrl: String
+    get() = authBaseOverride ?: "https://$domain.auth.$region.amazoncognito.com"
+
+  val authorizationEndpoint: String
+    get() = "$authBaseUrl/oauth2/authorize"
+
+  val tokenEndpoint: String
+    get() = "$authBaseUrl/oauth2/token"
+
+  val logoutEndpoint: String
+    get() = "$authBaseUrl/logout"
+
+  companion object {
+    private val logger = getLogger()
+    private const val DUMMY_VALUE = "not-configured"
+
+    fun from(props: Properties): CognitoConfig? {
+      if (!props.booleanRequired("admin.gui.enabled")) {
+        return null
+      }
+
+      val requiredGroup = props.stringNotEmpty("cognito.requiredGroup")
+
+      val bypassEnabled = props.booleanRequired("cognito.bypassEnabled")
+      if (bypassEnabled) {
+        logger.warn {
+          "Cognito bypass enabled. Ensure this is not running in production: your admin gui is now unauthenticated."
+        }
+        return CognitoConfig(
+            userPoolId = DUMMY_VALUE,
+            clientId = DUMMY_VALUE,
+            clientSecret = DUMMY_VALUE,
+            domain = DUMMY_VALUE,
+            region = Region.EU_WEST_1.id(),
+            requiredGroup = requiredGroup,
+            bypassEnabled = true,
+            appBaseUrl = DUMMY_VALUE,
+        )
+      }
+
+      return CognitoConfig(
+          userPoolId = props.stringNotEmpty("cognito.userPoolId"),
+          clientId = props.stringNotEmpty("cognito.clientId"),
+          clientSecret = props.stringNotNull("cognito.clientSecret"),
+          domain = props.stringNotEmpty("cognito.domain"),
+          region = props.stringNotEmpty("cognito.region"),
+          requiredGroup = requiredGroup,
+          bypassEnabled = false,
+          appBaseUrl = props.stringNotEmpty("cognito.appBaseUrl"),
+      )
+    }
+  }
+}
diff --git a/src/main/kotlin/no/liflig/cidashboard/common/config/Config.kt b/src/main/kotlin/no/liflig/cidashboard/common/config/Config.kt
index 1d66d86b..93f93dbc 100644
--- a/src/main/kotlin/no/liflig/cidashboard/common/config/Config.kt
+++ b/src/main/kotlin/no/liflig/cidashboard/common/config/Config.kt
@@ -14,6 +14,7 @@ data class Config(
     val apiOptions: ApiOptions = ApiOptions.from(properties),
     val database: DbConfig = DbConfig.from(properties),
     val webhookOptions: WebhookOptions = WebhookOptions.from(properties),
+    val cognitoConfig: CognitoConfig? = CognitoConfig.from(properties),
 ) {
 
   companion object {
diff --git a/src/main/kotlin/no/liflig/cidashboard/dashboard/HandlebarsTemplate.kt b/src/main/kotlin/no/liflig/cidashboard/dashboard/HandlebarsTemplate.kt
index 5047f352..e5618b57 100644
--- a/src/main/kotlin/no/liflig/cidashboard/dashboard/HandlebarsTemplate.kt
+++ b/src/main/kotlin/no/liflig/cidashboard/dashboard/HandlebarsTemplate.kt
@@ -82,4 +82,10 @@ object CustomHelpers {
       else -> false
     }
   }
+
+  @Suppress("unused")
+  @JvmName("eq")
+  fun eq(left: Any?, right: Any?): Boolean {
+    return left == right
+  }
 }
diff --git a/src/main/kotlin/no/liflig/cidashboard/persistence/DashboardConfigRepo.kt b/src/main/kotlin/no/liflig/cidashboard/persistence/DashboardConfigRepo.kt
index 02dd9fd5..2d79c18e 100644
--- a/src/main/kotlin/no/liflig/cidashboard/persistence/DashboardConfigRepo.kt
+++ b/src/main/kotlin/no/liflig/cidashboard/persistence/DashboardConfigRepo.kt
@@ -52,4 +52,12 @@ class DashboardConfigRepo(private val databaseHandle: Handle) {
         .getOrNull()
         .also { log.debug { "Fetched ${it?.id} from ${TABLE_NAME}" } }
   }
+
+  fun getAll(): List<DashboardConfig> {
+    return databaseHandle
+        .select("SELECT data FROM $TABLE_NAME ORDER BY id")
+        .map { rs: ResultSet, _ -> DashboardConfig.fromJson(rs.getString("data")) }
+        .list()
+        .also { log.debug { "Fetched ${it.size} configs from $TABLE_NAME" } }
+  }
 }
diff --git a/src/main/resources-filtered/application.properties b/src/main/resources-filtered/application.properties
index efe4de18..c59b58c2 100644
--- a/src/main/resources-filtered/application.properties
+++ b/src/main/resources-filtered/application.properties
@@ -35,3 +35,15 @@ dashboard.client.secretToken=change-me-to-something-secret
 
 # Admin
 admin.secretToken=very-very-secret-admin-token
+
+# Cognito (optional - required for Admin GUI)
+admin.gui.enabled=false
+## Only set true for local development
+cognito.bypassEnabled=false
+cognito.requiredGroup=liflig-active
+#cognito.userPoolId=eu-north-1_XXXXX
+#cognito.clientId=xxxxx
+#cognito.clientSecret=xxxxxx
+#cognito.domain=my-app
+#cognito.region=eu-north-1
+#cognito.appBaseUrl=https://your-app.example.com
diff --git a/src/main/resources/handlebars-htmx-templates/admin-ci-statuses.hbs b/src/main/resources/handlebars-htmx-templates/admin-ci-statuses.hbs
new file mode 100644
index 00000000..f682258a
--- /dev/null
+++ b/src/main/resources/handlebars-htmx-templates/admin-ci-statuses.hbs
@@ -0,0 +1,102 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>{{title}} - Admin</title>
+  <script src="/webjars/htmx.org/{{htmxVersion}}/dist/htmx.min.js"></script>
+  <style>
+    * { box-sizing: border-box; margin: 0; padding: 0; }
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif; background-color: #f5f5f5; color: #333; line-height: 1.6; }
+    .admin-container { display: flex; min-height: 100vh; }
+    .admin-sidebar { width: 220px; background-color: #2d2d2d; color: #fff; padding: 1rem; }
+    .admin-sidebar__title { font-size: 1.25rem; font-weight: bold; margin-bottom: 1.5rem; padding-bottom: 0.5rem; border-bottom: 1px solid #444; }
+    .admin-sidebar__nav { list-style: none; }
+    .admin-sidebar__nav-item { margin-bottom: 0.5rem; }
+    .admin-sidebar__nav-link { display: block; padding: 0.5rem 0.75rem; color: #ccc; text-decoration: none; border-radius: 4px; }
+    .admin-sidebar__nav-link:hover { background-color: #3d3d3d; color: #fff; }
+    .admin-sidebar__nav-link--active { background-color: #4a90d9; color: #fff; }
+    .admin-sidebar__user { margin-top: 2rem; padding-top: 1rem; border-top: 1px solid #444; font-size: 0.875rem; color: #999; }
+    .admin-main { flex: 1; padding: 1.5rem; }
+    .admin-header { margin-bottom: 1.5rem; }
+    .admin-header__title { font-size: 1.5rem; font-weight: bold; }
+    .admin-table { width: 100%; background-color: #fff; border-radius: 8px; box-shadow: 0 1px 3px rgba(0, 0, 0, 0.1); border-collapse: collapse; }
+    .admin-table th, .admin-table td { padding: 0.75rem 1rem; text-align: left; border-bottom: 1px solid #eee; }
+    .admin-table th { background-color: #f8f8f8; font-weight: 600; color: #666; }
+    .admin-table tr:hover { background-color: #f9f9f9; }
+    .admin-btn { display: inline-block; padding: 0.5rem 1rem; font-size: 0.875rem; font-weight: 500; border-radius: 4px; border: none; cursor: pointer; text-decoration: none; }
+    .admin-btn--danger { background-color: #dc3545; color: #fff; }
+    .admin-btn--danger:hover { background-color: #c82333; }
+    .admin-btn--secondary { background-color: #6c757d; color: #fff; }
+    .admin-btn--secondary:hover { background-color: #5a6268; }
+    .admin-badge { display: inline-block; padding: 0.25rem 0.5rem; font-size: 0.75rem; font-weight: 600; border-radius: 4px; }
+    .admin-badge--success { background-color: #d4edda; color: #155724; }
+    .admin-badge--danger { background-color: #f8d7da; color: #721c24; }
+    .admin-badge--warning { background-color: #fff3cd; color: #856404; }
+    .admin-badge--info { background-color: #d1ecf1; color: #0c5460; }
+    .admin-empty { text-align: center; padding: 2rem; color: #666; }
+  </style>
+</head>
+<body>
+<div class="admin-container">
+  <aside class="admin-sidebar">
+    <div class="admin-sidebar__title">CI Dashboard Admin</div>
+    <nav>
+      <ul class="admin-sidebar__nav">
+        <li class="admin-sidebar__nav-item">
+          <a href="/admin/ci-statuses" class="admin-sidebar__nav-link{{#if (eq activePage 'ci-statuses')}} admin-sidebar__nav-link--active{{/if}}">CI Statuses</a>
+        </li>
+        <li class="admin-sidebar__nav-item">
+          <a href="/admin/integration" class="admin-sidebar__nav-link{{#if (eq activePage 'integration')}} admin-sidebar__nav-link--active{{/if}}">Integration Guide</a>
+        </li>
+        <li class="admin-sidebar__nav-item">
+          <a href="/admin/configs" class="admin-sidebar__nav-link{{#if (eq activePage 'configs')}} admin-sidebar__nav-link--active{{/if}}">Configurations</a>
+        </li>
+      </ul>
+    </nav>
+    <div class="admin-sidebar__user">Logged in as: {{user.username}}</div>
+  </aside>
+  <main class="admin-main">
+    <div class="admin-header">
+      <h1 class="admin-header__title">{{title}}</h1>
+    </div>
+    <div id="ci-status-list">
+      {{#if statuses.length}}
+      <table class="admin-table">
+        <thead>
+        <tr>
+          <th>Repository</th>
+          <th>Branch</th>
+          <th>Status</th>
+          <th>Last Updated</th>
+          <th>Actions</th>
+        </tr>
+        </thead>
+        <tbody>
+        {{#each statuses}}
+        <tr>
+          <td><strong>{{this.repoOwner}}/{{this.repoName}}</strong></td>
+          <td>{{this.branch}}</td>
+          <td>
+            {{#if (eq this.status 'SUCCEEDED')}}<span class="admin-badge admin-badge--success">{{this.status}}</span>
+            {{else if (eq this.status 'FAILED')}}<span class="admin-badge admin-badge--danger">{{this.status}}</span>
+            {{else if (eq this.status 'IN_PROGRESS')}}<span class="admin-badge admin-badge--info">{{this.status}}</span>
+            {{else if (eq this.status 'QUEUED')}}<span class="admin-badge admin-badge--warning">{{this.status}}</span>
+            {{else}}<span class="admin-badge">{{this.status}}</span>{{/if}}
+          </td>
+          <td>{{this.lastUpdated}}</td>
+          <td>
+            <button class="admin-btn admin-btn--danger" hx-delete="/admin/ci-statuses/{{this.id}}" hx-target="closest tr" hx-swap="outerHTML" hx-confirm="Are you sure you want to delete this status? This action cannot be undone.">Delete</button>
+          </td>
+        </tr>
+        {{/each}}
+        </tbody>
+      </table>
+      {{else}}
+      <div class="admin-empty"><p>No CI statuses found.</p></div>
+      {{/if}}
+    </div>
+  </main>
+</div>
+</body>
+</html>
diff --git a/src/main/resources/handlebars-htmx-templates/admin-configs.hbs b/src/main/resources/handlebars-htmx-templates/admin-configs.hbs
new file mode 100644
index 00000000..d571f860
--- /dev/null
+++ b/src/main/resources/handlebars-htmx-templates/admin-configs.hbs
@@ -0,0 +1,92 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>{{title}} - Admin</title>
+  <script src="/webjars/htmx.org/{{htmxVersion}}/dist/htmx.min.js"></script>
+  <style>
+    * { box-sizing: border-box; margin: 0; padding: 0; }
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif; background-color: #f5f5f5; color: #333; line-height: 1.6; }
+    .admin-container { display: flex; min-height: 100vh; }
+    .admin-sidebar { width: 220px; background-color: #2d2d2d; color: #fff; padding: 1rem; }
+    .admin-sidebar__title { font-size: 1.25rem; font-weight: bold; margin-bottom: 1.5rem; padding-bottom: 0.5rem; border-bottom: 1px solid #444; }
+    .admin-sidebar__nav { list-style: none; }
+    .admin-sidebar__nav-item { margin-bottom: 0.5rem; }
+    .admin-sidebar__nav-link { display: block; padding: 0.5rem 0.75rem; color: #ccc; text-decoration: none; border-radius: 4px; }
+    .admin-sidebar__nav-link:hover { background-color: #3d3d3d; color: #fff; }
+    .admin-sidebar__nav-link--active { background-color: #4a90d9; color: #fff; }
+    .admin-sidebar__user { margin-top: 2rem; padding-top: 1rem; border-top: 1px solid #444; font-size: 0.875rem; color: #999; }
+    .admin-main { flex: 1; padding: 1.5rem; }
+    .admin-header { margin-bottom: 1.5rem; }
+    .admin-header__title { font-size: 1.5rem; font-weight: bold; }
+    .admin-table { width: 100%; background-color: #fff; border-radius: 8px; box-shadow: 0 1px 3px rgba(0, 0, 0, 0.1); border-collapse: collapse; }
+    .admin-table th, .admin-table td { padding: 0.75rem 1rem; text-align: left; border-bottom: 1px solid #eee; }
+    .admin-table th { background-color: #f8f8f8; font-weight: 600; color: #666; }
+    .admin-table tr:hover { background-color: #f9f9f9; }
+    .admin-empty { text-align: center; padding: 2rem; color: #666; }
+    .admin-table__org-matcher { font-weight: 500; margin-bottom: 0.25rem; }
+    .admin-table__repo-list { list-style: none; margin-left: 1rem; margin-bottom: 0.5rem; }
+    .admin-table__repo-item { color: #666; font-size: 0.875rem; }
+  </style>
+</head>
+<body>
+<div class="admin-container">
+  <aside class="admin-sidebar">
+    <div class="admin-sidebar__title">CI Dashboard Admin</div>
+    <nav>
+      <ul class="admin-sidebar__nav">
+        <li class="admin-sidebar__nav-item">
+          <a href="/admin/ci-statuses" class="admin-sidebar__nav-link{{#if (eq activePage 'ci-statuses')}} admin-sidebar__nav-link--active{{/if}}">CI Statuses</a>
+        </li>
+        <li class="admin-sidebar__nav-item">
+          <a href="/admin/integration" class="admin-sidebar__nav-link{{#if (eq activePage 'integration')}} admin-sidebar__nav-link--active{{/if}}">Integration Guide</a>
+        </li>
+        <li class="admin-sidebar__nav-item">
+          <a href="/admin/configs" class="admin-sidebar__nav-link{{#if (eq activePage 'configs')}} admin-sidebar__nav-link--active{{/if}}">Configurations</a>
+        </li>
+      </ul>
+    </nav>
+    <div class="admin-sidebar__user">Logged in as: {{user.username}}</div>
+  </aside>
+  <main class="admin-main">
+    <div class="admin-header">
+      <h1 class="admin-header__title">{{title}}</h1>
+    </div>
+    {{#if configs.length}}
+    <table class="admin-table">
+      <thead>
+      <tr>
+        <th>ID</th>
+        <th>Display Name</th>
+        <th>Organization Matchers</th>
+      </tr>
+      </thead>
+      <tbody>
+      {{#each configs}}
+      <tr>
+        <td><code>{{this.id}}</code></td>
+        <td>{{this.displayName}}</td>
+        <td>
+          {{#each this.orgMatchers}}
+            <div class="admin-table__org-matcher">{{this.matcher}}</div>
+            {{#if this.repoMatchers.length}}
+              <ul class="admin-table__repo-list">
+                {{#each this.repoMatchers}}
+                  <li class="admin-table__repo-item">• {{this.matcher}}</li>
+                {{/each}}
+              </ul>
+            {{/if}}
+          {{/each}}
+        </td>
+      </tr>
+      {{/each}}
+      </tbody>
+    </table>
+    {{else}}
+    <div class="admin-empty"><p>No dashboard configurations found.</p></div>
+    {{/if}}
+  </main>
+</div>
+</body>
+</html>
diff --git a/src/main/resources/handlebars-htmx-templates/admin-integration.hbs b/src/main/resources/handlebars-htmx-templates/admin-integration.hbs
new file mode 100644
index 00000000..1a73a9b8
--- /dev/null
+++ b/src/main/resources/handlebars-htmx-templates/admin-integration.hbs
@@ -0,0 +1,116 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>{{title}} - Admin</title>
+  <script src="/webjars/htmx.org/{{htmxVersion}}/dist/htmx.min.js"></script>
+  <style>
+    * { box-sizing: border-box; margin: 0; padding: 0; }
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif; background-color: #f5f5f5; color: #333; line-height: 1.6; }
+    .admin-container { display: flex; min-height: 100vh; }
+    .admin-sidebar { width: 220px; background-color: #2d2d2d; color: #fff; padding: 1rem; }
+    .admin-sidebar__title { font-size: 1.25rem; font-weight: bold; margin-bottom: 1.5rem; padding-bottom: 0.5rem; border-bottom: 1px solid #444; }
+    .admin-sidebar__nav { list-style: none; }
+    .admin-sidebar__nav-item { margin-bottom: 0.5rem; }
+    .admin-sidebar__nav-link { display: block; padding: 0.5rem 0.75rem; color: #ccc; text-decoration: none; border-radius: 4px; }
+    .admin-sidebar__nav-link:hover { background-color: #3d3d3d; color: #fff; }
+    .admin-sidebar__nav-link--active { background-color: #4a90d9; color: #fff; }
+    .admin-sidebar__user { margin-top: 2rem; padding-top: 1rem; border-top: 1px solid #444; font-size: 0.875rem; color: #999; }
+    .admin-main { flex: 1; padding: 1.5rem; }
+    .admin-header { margin-bottom: 1.5rem; }
+    .admin-header__title { font-size: 1.5rem; font-weight: bold; }
+    .admin-btn { display: inline-block; padding: 0.5rem 1rem; font-size: 0.875rem; font-weight: 500; border-radius: 4px; border: none; cursor: pointer; text-decoration: none; }
+    .admin-btn--secondary { background-color: #6c757d; color: #fff; }
+    .admin-btn--secondary:hover { background-color: #5a6268; }
+    .admin-card { background-color: #fff; border-radius: 8px; box-shadow: 0 1px 3px rgba(0, 0, 0, 0.1); padding: 1.5rem; margin-bottom: 1.5rem; }
+    .admin-card__title { font-size: 1.125rem; font-weight: 600; margin-bottom: 1rem; }
+    .admin-secret { font-family: monospace; background-color: #f5f5f5; padding: 0.5rem; border-radius: 4px; margin: 0.5rem 0; }
+    .admin-secret--hidden { filter: blur(4px); user-select: none; }
+    .admin-code-block { background-color: #f5f5f5; padding: 1rem; border-radius: 4px; overflow-x: auto; font-family: monospace; font-size: 0.875rem; }
+  </style>
+</head>
+<body>
+<div class="admin-container">
+  <aside class="admin-sidebar">
+    <div class="admin-sidebar__title">CI Dashboard Admin</div>
+    <nav>
+      <ul class="admin-sidebar__nav">
+        <li class="admin-sidebar__nav-item">
+          <a href="/admin/ci-statuses" class="admin-sidebar__nav-link{{#if (eq activePage 'ci-statuses')}} admin-sidebar__nav-link--active{{/if}}">CI Statuses</a>
+        </li>
+        <li class="admin-sidebar__nav-item">
+          <a href="/admin/integration" class="admin-sidebar__nav-link{{#if (eq activePage 'integration')}} admin-sidebar__nav-link--active{{/if}}">Integration Guide</a>
+        </li>
+        <li class="admin-sidebar__nav-item">
+          <a href="/admin/configs" class="admin-sidebar__nav-link{{#if (eq activePage 'configs')}} admin-sidebar__nav-link--active{{/if}}">Configurations</a>
+        </li>
+      </ul>
+    </nav>
+    <div class="admin-sidebar__user">Logged in as: {{user.username}}</div>
+  </aside>
+  <main class="admin-main">
+    <div class="admin-header">
+      <h1 class="admin-header__title">{{title}}</h1>
+    </div>
+    <div class="admin-card">
+      <h2 class="admin-card__title">Adding a New GitHub Organization</h2>
+      <p>To add a new GitHub organization to the CI Dashboard, follow these steps:</p>
+      <ol style="margin: 1rem 0; padding-left: 1.5rem;">
+        <li style="margin-bottom: 0.5rem;"><strong>Create a GitHub App or Webhook</strong> in the target organization.</li>
+        <li style="margin-bottom: 0.5rem;"><strong>Configure the webhook URL</strong> to point to:<br><code class="admin-code-block" style="display: inline-block; margin: 0.5rem 0;">https://your-domain.com/webhook</code></li>
+        <li style="margin-bottom: 0.5rem;"><strong>Set the webhook secret</strong> to the value shown below.</li>
+        <li style="margin-bottom: 0.5rem;"><strong>Subscribe to events</strong>: Select <code>workflow_run</code> events.</li>
+        <li style="margin-bottom: 0.5rem;"><strong>Save the webhook</strong> and verify it works by triggering a workflow.</li>
+      </ol>
+    </div>
+    <div class="admin-card">
+      <h2 class="admin-card__title">Webhook Secret</h2>
+      <p style="margin-bottom: 0.5rem;">Use this secret when configuring webhooks in GitHub:</p>
+      <div style="display: flex; align-items: center; gap: 0.5rem; margin: 1rem 0;">
+        <code id="webhook-secret" class="admin-secret admin-secret--hidden" style="flex: 1;">{{webhookSecret}}</code>
+        <button id="toggle-secret" class="admin-btn admin-btn--secondary" onclick="toggleSecret()">Show</button>
+        <button class="admin-btn admin-btn--secondary" onclick="copySecret()">Copy</button>
+      </div>
+    </div>
+    <div class="admin-card">
+      <h2 class="admin-card__title">Example Webhook Payload</h2>
+      <p style="margin-bottom: 0.5rem;">The webhook expects <code>workflow_run</code> events from GitHub Actions.</p>
+      <pre class="admin-code-block">{
+  "action": "completed",
+  "workflow_run": {
+    "id": 123456,
+    "status": "completed",
+    "conclusion": "success",
+    "name": "CI",
+    "head_branch": "main",
+    "repository": {
+      "name": "my-repo",
+      "owner": { "login": "my-org" }
+    }
+  }
+}</pre>
+    </div>
+    <script>
+      let secretVisible = false;
+      function toggleSecret() {
+        const secretEl = document.getElementById('webhook-secret');
+        const btn = document.getElementById('toggle-secret');
+        secretVisible = !secretVisible;
+        if (secretVisible) { secretEl.classList.remove('admin-secret--hidden'); btn.textContent = 'Hide'; }
+        else { secretEl.classList.add('admin-secret--hidden'); btn.textContent = 'Show'; }
+      }
+      function copySecret() {
+        const secret = '{{webhookSecret}}';
+        navigator.clipboard.writeText(secret).then(() => {
+          const btn = event.target;
+          const originalText = btn.textContent;
+          btn.textContent = 'Copied!';
+          setTimeout(() => btn.textContent = originalText, 2000);
+        });
+      }
+    </script>
+  </main>
+</div>
+</body>
+</html>
diff --git a/src/test/kotlin/acceptancetests/DevelopmentAid.kt b/src/test/kotlin/acceptancetests/DevelopmentAid.kt
index f85abfb8..aa163d33 100644
--- a/src/test/kotlin/acceptancetests/DevelopmentAid.kt
+++ b/src/test/kotlin/acceptancetests/DevelopmentAid.kt
@@ -50,6 +50,8 @@ class DevelopmentAid {
 
     infra.gitHub.sendWebhook(createPayload("repo-a", CiStatus.PipelineStatus.QUEUED))
 
+    infra.admin.uploadConfiguration()
+
     println(
         "\n".repeat(10) +
             "http://localhost:" +
diff --git a/src/test/kotlin/no/liflig/cidashboard/admin/auth/CognitoAuthServiceTest.kt b/src/test/kotlin/no/liflig/cidashboard/admin/auth/CognitoAuthServiceTest.kt
new file mode 100644
index 00000000..575c4b55
--- /dev/null
+++ b/src/test/kotlin/no/liflig/cidashboard/admin/auth/CognitoAuthServiceTest.kt
@@ -0,0 +1,93 @@
+package no.liflig.cidashboard.admin.auth
+
+import no.liflig.cidashboard.common.config.CognitoConfig
+import org.assertj.core.api.Assertions.assertThat
+import org.http4k.core.Method
+import org.http4k.core.Request
+import org.http4k.core.Response
+import org.http4k.core.Status
+import org.junit.jupiter.api.Assertions.assertThrows
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.assertThrows
+
+class CognitoAuthServiceTest {
+
+  private val testConfig =
+      CognitoConfig(
+          userPoolId = "eu-north-1_test",
+          clientId = "test-client",
+          clientSecret = "",
+          domain = "test",
+          region = "eu-north-1",
+          requiredGroup = "admin",
+          bypassEnabled = false,
+          appBaseUrl = "http://localhost:8080",
+      )
+
+  @Test
+  fun `should redirect to oauth provider when no token present`() {
+    val authService = createService(testConfig)
+    val filter = authService.authFilter()
+
+    val request = Request(Method.GET, "/admin/ci-statuses")
+    val response = filter { Response(Status.OK) }(request)
+
+    assertThat(response.status).isEqualTo(Status.TEMPORARY_REDIRECT)
+    assertThat(response.header("Location"))
+        .contains("test.auth.eu-north-1.amazoncognito.com/oauth2/authorize")
+  }
+
+  @Test
+  fun `should allow access when bypass is enabled`() {
+    val configWithBypass = testConfig.copy(bypassEnabled = true)
+    val authService = createService(configWithBypass)
+    val filter = authService.authFilter()
+
+    val request = Request(Method.GET, "/admin/ci-statuses")
+    val response = filter { Response(Status.OK).body("success") }(request)
+
+    assertThat(response.status).isEqualTo(Status.OK)
+    assertThat(response.bodyString()).isEqualTo("success")
+  }
+
+  @Test
+  fun `should add user to request context when bypass enabled`() {
+    val configWithBypass = testConfig.copy(bypassEnabled = true)
+    val authService = createService(configWithBypass)
+    val filter = authService.authFilter()
+
+    lateinit var capturedUser: CognitoUser
+    val request = Request(Method.GET, "/admin/ci-statuses")
+    filter {
+      capturedUser = CognitoAuthService.requireCognitoUser(it)
+      Response(Status.OK)
+    }(request)
+
+    assertThat(capturedUser.username).isEqualTo("bypass-user")
+    assertThat(capturedUser.groups).contains("admin")
+  }
+
+  @Test
+  fun `should require cognito user throw when no user present`() {
+    val request = Request(Method.GET, "/test")
+
+    val exception =
+        assertThrows<IllegalStateException> { CognitoAuthService.requireCognitoUser(request) }
+
+    assertThat(exception.message).contains("No Cognito user in request context")
+  }
+
+  @Test
+  fun `should provide callback handler`() {
+    val authService = createService(testConfig)
+
+    assertThat(authService.callbackHandler()).isNotNull
+  }
+
+  private fun createService(config: CognitoConfig): CognitoAuthService {
+    return CognitoAuthService(
+        config = config,
+        httpClient = { Response(Status.OK) },
+    )
+  }
+}
diff --git a/src/test/kotlin/no/liflig/cidashboard/admin/gui/AdminGuiApiTest.kt b/src/test/kotlin/no/liflig/cidashboard/admin/gui/AdminGuiApiTest.kt
new file mode 100644
index 00000000..77101fe0
--- /dev/null
+++ b/src/test/kotlin/no/liflig/cidashboard/admin/gui/AdminGuiApiTest.kt
@@ -0,0 +1,65 @@
+package no.liflig.cidashboard.admin.gui
+
+import io.restassured.RestAssured
+import org.http4k.core.Status
+import org.junit.jupiter.api.BeforeEach
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.extension.RegisterExtension
+import test.util.AcceptanceTestExtension
+import test.util.Integration
+
+@Integration
+class AdminGuiApiTest {
+
+  companion object {
+    @JvmField @RegisterExtension val infra = AcceptanceTestExtension()
+  }
+
+  @BeforeEach
+  fun setUp() {
+    RestAssured.port = infra.app.config.apiOptions.serverPort.value
+  }
+
+  @Test
+  fun `admin index should redirect to ci-statuses when cognito bypass enabled`() {
+    RestAssured.given()
+        .redirects()
+        .follow(false)
+        .`when`()
+        .get("/admin")
+        .then()
+        .assertThat()
+        .statusCode(Status.FOUND.code)
+        .header("Location", "/admin/ci-statuses")
+  }
+
+  @Test
+  fun `ci-statuses page should return 200 when cognito bypass enabled`() {
+    RestAssured.`when`()
+        .get("/admin/ci-statuses")
+        .then()
+        .assertThat()
+        .statusCode(Status.OK.code)
+        .contentType("text/html")
+  }
+
+  @Test
+  fun `integration guide page should return 200 when cognito bypass enabled`() {
+    RestAssured.`when`()
+        .get("/admin/integration")
+        .then()
+        .assertThat()
+        .statusCode(Status.OK.code)
+        .contentType("text/html")
+  }
+
+  @Test
+  fun `configs page should return 200 when cognito bypass enabled`() {
+    RestAssured.`when`()
+        .get("/admin/configs")
+        .then()
+        .assertThat()
+        .statusCode(Status.OK.code)
+        .contentType("text/html")
+  }
+}
diff --git a/src/test/kotlin/no/liflig/cidashboard/admin/gui/AdminGuiOAuthApiTest.kt b/src/test/kotlin/no/liflig/cidashboard/admin/gui/AdminGuiOAuthApiTest.kt
new file mode 100644
index 00000000..dfceb1cb
--- /dev/null
+++ b/src/test/kotlin/no/liflig/cidashboard/admin/gui/AdminGuiOAuthApiTest.kt
@@ -0,0 +1,75 @@
+package no.liflig.cidashboard.admin.gui
+
+import io.restassured.RestAssured
+import org.http4k.core.Status
+import org.junit.jupiter.api.BeforeEach
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.extension.RegisterExtension
+import test.util.AcceptanceTestExtension
+import test.util.Integration
+
+@Integration
+class AdminGuiOAuthApiTest {
+
+  companion object {
+    @JvmField @RegisterExtension val infra = AcceptanceTestExtension(cognitoBypassEnabled = false)
+  }
+
+  @BeforeEach
+  fun setUp() {
+    RestAssured.port = infra.app.config.apiOptions.serverPort.value
+  }
+
+  @Test
+  fun `admin index should redirect to oauth provider when not authenticated`() {
+    RestAssured.given()
+        .redirects()
+        .follow(false)
+        .`when`()
+        .get("/admin")
+        .then()
+        .assertThat()
+        .statusCode(Status.TEMPORARY_REDIRECT.code)
+        .header("Location", org.hamcrest.Matchers.containsString("oauth2/authorize"))
+  }
+
+  @Test
+  fun `admin ci-statuses should redirect to oauth provider when not authenticated`() {
+    RestAssured.given()
+        .redirects()
+        .follow(false)
+        .`when`()
+        .get("/admin/ci-statuses")
+        .then()
+        .assertThat()
+        .statusCode(Status.TEMPORARY_REDIRECT.code)
+        .header("Location", org.hamcrest.Matchers.containsString("oauth2/authorize"))
+  }
+
+  @Test
+  fun `oauth callback endpoint should exist and handle missing code`() {
+    RestAssured.`when`()
+        .get("/admin/oauth/callback")
+        .then()
+        .assertThat()
+        .statusCode(
+            org.hamcrest.Matchers.anyOf(
+                org.hamcrest.Matchers.equalTo(Status.BAD_REQUEST.code),
+                org.hamcrest.Matchers.equalTo(Status.FORBIDDEN.code),
+                org.hamcrest.Matchers.equalTo(Status.TEMPORARY_REDIRECT.code),
+            )
+        )
+  }
+
+  @Test
+  fun `oauth callback should set csrf cookie on redirect`() {
+    RestAssured.given()
+        .redirects()
+        .follow(false)
+        .`when`()
+        .get("/admin/ci-statuses")
+        .then()
+        .assertThat()
+        .cookie("cognitoCsrf", org.hamcrest.Matchers.notNullValue())
+  }
+}
diff --git a/src/test/kotlin/no/liflig/cidashboard/admin/gui/AdminGuiServiceTest.kt b/src/test/kotlin/no/liflig/cidashboard/admin/gui/AdminGuiServiceTest.kt
new file mode 100644
index 00000000..d46ccf16
--- /dev/null
+++ b/src/test/kotlin/no/liflig/cidashboard/admin/gui/AdminGuiServiceTest.kt
@@ -0,0 +1,137 @@
+package no.liflig.cidashboard.admin.gui
+
+import io.mockk.every
+import io.mockk.mockk
+import java.time.Instant
+import no.liflig.cidashboard.DashboardConfig
+import no.liflig.cidashboard.DashboardConfigId
+import no.liflig.cidashboard.OrganizationMatcher
+import no.liflig.cidashboard.persistence.BranchName
+import no.liflig.cidashboard.persistence.CiStatus
+import no.liflig.cidashboard.persistence.CiStatusId
+import no.liflig.cidashboard.persistence.CiStatusRepo
+import no.liflig.cidashboard.persistence.Commit
+import no.liflig.cidashboard.persistence.DashboardConfigRepo
+import no.liflig.cidashboard.persistence.Repo
+import no.liflig.cidashboard.persistence.RepoId
+import no.liflig.cidashboard.persistence.RepoName
+import no.liflig.cidashboard.persistence.User
+import no.liflig.cidashboard.persistence.UserId
+import no.liflig.cidashboard.persistence.Username
+import org.assertj.core.api.Assertions.assertThat
+import org.junit.jupiter.api.Test
+
+class AdminGuiServiceTest {
+
+  @Test
+  fun `should map ci statuses to rows`() {
+    val now = Instant.now()
+    val user =
+        User(
+            id = UserId(1),
+            username = Username("testuser"),
+            avatarUrl = "https://example.com/avatar.png",
+        )
+    val commit =
+        Commit(
+            sha = "abc123",
+            commitDate = now,
+            title = "Test commit",
+            message = "Test message",
+            commiter = user,
+        )
+    val statuses =
+        listOf(
+            CiStatus(
+                id = CiStatusId("status-1"),
+                repo =
+                    Repo(
+                        id = RepoId(1),
+                        owner = Username("my-org"),
+                        name = RepoName("my-repo"),
+                        defaultBranch = BranchName("main"),
+                    ),
+                branch = BranchName("main"),
+                lastStatus = CiStatus.PipelineStatus.SUCCEEDED,
+                startedAt = now,
+                lastUpdatedAt = now,
+                buildNumber = 1,
+                lastCommit = commit,
+                triggeredBy = Username("testuser"),
+            ),
+            CiStatus(
+                id = CiStatusId("status-2"),
+                repo =
+                    Repo(
+                        id = RepoId(2),
+                        owner = Username("other-org"),
+                        name = RepoName("other-repo"),
+                        defaultBranch = BranchName("develop"),
+                    ),
+                branch = BranchName("develop"),
+                lastStatus = CiStatus.PipelineStatus.FAILED,
+                startedAt = now,
+                lastUpdatedAt = now.plusSeconds(60),
+                buildNumber = 2,
+                lastCommit = commit,
+                triggeredBy = Username("testuser"),
+            ),
+        )
+    val ciStatusRepo = mockk<CiStatusRepo> { every { getAll() } returns statuses }
+    val dashboardConfigRepo = mockk<DashboardConfigRepo> { every { getAll() } returns emptyList() }
+
+    val service =
+        AdminGuiService(
+            ciStatusRepo = { callback -> callback(ciStatusRepo) },
+            configRepo = { callback -> callback(dashboardConfigRepo) },
+        )
+    val rows = service.getCiStatuses()
+
+    assertThat(rows).hasSize(2)
+    assertThat(rows[0].id).isEqualTo("status-1")
+    assertThat(rows[0].repoOwner).isEqualTo("my-org")
+    assertThat(rows[0].repoName).isEqualTo("my-repo")
+    assertThat(rows[0].branch).isEqualTo("main")
+    assertThat(rows[0].status).isEqualTo("SUCCEEDED")
+    assertThat(rows[1].id).isEqualTo("status-2")
+    assertThat(rows[1].status).isEqualTo("FAILED")
+  }
+
+  @Test
+  fun `should map configs to rows`() {
+    val configs =
+        listOf(
+            DashboardConfig(
+                id = DashboardConfigId("config-1"),
+                displayName = "My Dashboard",
+                orgMatchers =
+                    listOf(
+                        OrganizationMatcher(Regex("org-1")),
+                        OrganizationMatcher(Regex("org-2")),
+                    ),
+            ),
+        )
+    val ciStatusRepo = mockk<CiStatusRepo> { every { getAll() } returns emptyList() }
+    val dashboardConfigRepo = mockk<DashboardConfigRepo> { every { getAll() } returns configs }
+
+    val service =
+        AdminGuiService(
+            ciStatusRepo = { callback -> callback(ciStatusRepo) },
+            configRepo = { callback -> callback(dashboardConfigRepo) },
+        )
+    val rows = service.getConfigs()
+
+    assertThat(rows).hasSize(1)
+    assertThat(rows[0].id).isEqualTo("config-1")
+    assertThat(rows[0].displayName).isEqualTo("My Dashboard")
+    assertThat(rows[0].orgMatchers).isEqualTo("org-1, org-2")
+  }
+
+  @Test
+  fun `should handle empty lists`() {
+    val service = AdminGuiService(ciStatusRepo = { emptyList() }, configRepo = { emptyList() })
+
+    assertThat(service.getCiStatuses()).isEmpty()
+    assertThat(service.getConfigs()).isEmpty()
+  }
+}
diff --git a/src/test/kotlin/no/liflig/cidashboard/common/config/CognitoConfigTest.kt b/src/test/kotlin/no/liflig/cidashboard/common/config/CognitoConfigTest.kt
new file mode 100644
index 00000000..d66bdff6
--- /dev/null
+++ b/src/test/kotlin/no/liflig/cidashboard/common/config/CognitoConfigTest.kt
@@ -0,0 +1,128 @@
+package no.liflig.cidashboard.common.config
+
+import java.util.Properties
+import org.assertj.core.api.Assertions.assertThat
+import org.junit.jupiter.api.Test
+import org.junit.jupiter.api.assertThrows
+
+class CognitoConfigTest {
+
+  @Test
+  fun `should create config from properties`() {
+    val props =
+        Properties().apply {
+          setProperty("admin.gui.enabled", "true")
+          setProperty("cognito.userPoolId", "eu-north-1_abc123")
+          setProperty("cognito.clientId", "client-id-123")
+          setProperty("cognito.clientSecret", "secret-123")
+          setProperty("cognito.domain", "my-app")
+          setProperty("cognito.region", "eu-north-1")
+          setProperty("cognito.requiredGroup", "admin-group")
+          setProperty("cognito.appBaseUrl", "https://myapp.example.com")
+          setProperty("cognito.bypassEnabled", "false")
+        }
+
+    val config = CognitoConfig.from(props)
+
+    assertThat(config).isNotNull
+    assertThat(config!!.userPoolId).isEqualTo("eu-north-1_abc123")
+    assertThat(config.clientId).isEqualTo("client-id-123")
+    assertThat(config.clientSecret).isEqualTo("secret-123")
+    assertThat(config.domain).isEqualTo("my-app")
+    assertThat(config.region).isEqualTo("eu-north-1")
+    assertThat(config.requiredGroup).isEqualTo("admin-group")
+    assertThat(config.appBaseUrl).isEqualTo("https://myapp.example.com")
+    assertThat(config.bypassEnabled).isFalse
+  }
+
+  @Test
+  fun `should throw when required properties are missing and bypass is disabled`() {
+    val props =
+        Properties().apply {
+          setProperty("admin.gui.enabled", "true")
+          setProperty("cognito.bypassEnabled", "false")
+        }
+
+    assertThrows<IllegalArgumentException> { CognitoConfig.from(props) }
+  }
+
+  @Test
+  fun `should create config with dummy values when bypass is enabled but properties missing`() {
+    val props =
+        Properties().apply {
+          setProperty("admin.gui.enabled", "true")
+          setProperty("cognito.bypassEnabled", "true")
+          setProperty("cognito.requiredGroup", "test")
+        }
+
+    val config = CognitoConfig.from(props)
+
+    assertThat(config).isNotNull
+    assertThat(config!!.userPoolId).isEqualTo("not-configured")
+    assertThat(config.clientId).isEqualTo("not-configured")
+    assertThat(config.domain).isEqualTo("not-configured")
+    assertThat(config.region).isEqualTo("eu-west-1")
+    assertThat(config.appBaseUrl).isEqualTo("not-configured")
+    assertThat(config.bypassEnabled).isTrue
+  }
+
+  @Test
+  fun `should generate correct issuer url`() {
+    val config =
+        CognitoConfig(
+            userPoolId = "eu-north-1_abc123",
+            clientId = "client-id",
+            clientSecret = "123",
+            domain = "my-app",
+            region = "eu-north-1",
+            requiredGroup = "admin",
+            bypassEnabled = false,
+            appBaseUrl = "https://myapp.example.com",
+        )
+
+    assertThat(config.issuerUrl)
+        .isEqualTo("https://cognito-idp.eu-north-1.amazonaws.com/eu-north-1_abc123")
+  }
+
+  @Test
+  fun `should generate correct jwks url`() {
+    val config =
+        CognitoConfig(
+            userPoolId = "eu-north-1_abc123",
+            clientId = "client-id",
+            clientSecret = "123",
+            domain = "my-app",
+            region = "eu-north-1",
+            requiredGroup = "admin",
+            bypassEnabled = false,
+            appBaseUrl = "https://myapp.example.com",
+        )
+
+    assertThat(config.jwksUrl)
+        .isEqualTo(
+            "https://cognito-idp.eu-north-1.amazonaws.com/eu-north-1_abc123/.well-known/jwks.json"
+        )
+  }
+
+  @Test
+  fun `should generate correct oauth endpoints`() {
+    val config =
+        CognitoConfig(
+            userPoolId = "eu-north-1_abc123",
+            clientId = "client-id",
+            clientSecret = "123",
+            domain = "my-app",
+            region = "eu-north-1",
+            requiredGroup = "admin",
+            bypassEnabled = false,
+            appBaseUrl = "https://myapp.example.com",
+        )
+
+    assertThat(config.authorizationEndpoint)
+        .isEqualTo("https://my-app.auth.eu-north-1.amazoncognito.com/oauth2/authorize")
+    assertThat(config.tokenEndpoint)
+        .isEqualTo("https://my-app.auth.eu-north-1.amazoncognito.com/oauth2/token")
+    assertThat(config.logoutEndpoint)
+        .isEqualTo("https://my-app.auth.eu-north-1.amazoncognito.com/logout")
+  }
+}
diff --git a/src/test/kotlin/test/util/AcceptanceTestExtension.kt b/src/test/kotlin/test/util/AcceptanceTestExtension.kt
index 15868a5e..3367422f 100644
--- a/src/test/kotlin/test/util/AcceptanceTestExtension.kt
+++ b/src/test/kotlin/test/util/AcceptanceTestExtension.kt
@@ -1,5 +1,7 @@
 package test.util
 
+import com.github.tomakehurst.wiremock.WireMockServer
+import com.github.tomakehurst.wiremock.core.WireMockConfiguration.wireMockConfig
 import com.microsoft.playwright.Browser
 import com.microsoft.playwright.BrowserContext
 import com.microsoft.playwright.Page
@@ -17,7 +19,9 @@ import java.nio.file.Paths
 import kotlin.time.Duration.Companion.milliseconds
 import kotlin.time.Duration.Companion.seconds
 import no.liflig.cidashboard.App
+import no.liflig.cidashboard.common.config.AdminSecretToken
 import no.liflig.cidashboard.common.config.ClientSecretToken
+import no.liflig.cidashboard.common.config.CognitoConfig
 import no.liflig.cidashboard.common.config.Config
 import no.liflig.cidashboard.common.config.DbConfig
 import no.liflig.cidashboard.common.config.Port
@@ -42,19 +46,23 @@ import org.testcontainers.containers.PostgreSQLContainer
  * To test at this high level and end-to-end, the system requires infrastructure or mocks/simulators
  * to properly interact with external systems.
  */
-class AcceptanceTestExtension(val fastPoll: Boolean = true) :
-    Extension, BeforeAllCallback, AfterAllCallback, BeforeEachCallback {
+class AcceptanceTestExtension(
+    val fastPoll: Boolean = true,
+    val cognitoBypassEnabled: Boolean = true,
+) : Extension, BeforeAllCallback, AfterAllCallback, BeforeEachCallback {
 
   lateinit var app: App
 
   val gitHub = GitHub()
   val database = Database()
   val tvBrowser = TvBrowser()
+  val cognito = Cognito()
+  val admin = Admin()
 
   override fun beforeAll(context: ExtensionContext) {
     database.start()
 
-    val config =
+    var config =
         Config.load()
             .let { database.applyTo(it) }
             .let { setUnusedHttpPort(it) }
@@ -66,6 +74,11 @@ class AcceptanceTestExtension(val fastPoll: Boolean = true) :
               }
             }
 
+    if (!cognitoBypassEnabled) {
+      cognito.start()
+      config = cognito.applyTo(config)
+    }
+
     app = App(config)
     app.start()
 
@@ -80,12 +93,20 @@ class AcceptanceTestExtension(val fastPoll: Boolean = true) :
         authToken = config.apiOptions.clientSecretToken,
         dashboardId = "abc",
     )
+
+    admin.initialize(
+        port = config.apiOptions.serverPort,
+        adminToken = config.apiOptions.adminSecretToken,
+    )
   }
 
   override fun afterAll(context: ExtensionContext) {
     app.stop()
     database.stop()
     tvBrowser.close()
+    if (!cognitoBypassEnabled) {
+      cognito.stop()
+    }
   }
 
   override fun beforeEach(context: ExtensionContext) {
@@ -292,6 +313,92 @@ END${'$'}${'$'};"""
       )
     }
   }
+
+  class Admin {
+    private var port: Port = Port(8080)
+    private var adminToken: AdminSecretToken = AdminSecretToken("unset")
+
+    fun initialize(port: Port, adminToken: AdminSecretToken) {
+      this.port = port
+      this.adminToken = adminToken
+    }
+
+    fun uploadConfiguration() {
+      RestAssured.given()
+          .body(
+              """[{
+    "id": "a1",
+    "displayName": "Team A",
+    "orgMatchers": [
+      {
+        "matcher": "capralifecycle",
+        "repoMatchers": [
+          {
+            "matcher": ".*-a"
+          },
+          {
+            "matcher": "repo-y.*"
+          }
+        ]
+      }
+    ]
+  }]"""
+          )
+          .header("Authorization", "Bearer ${adminToken.value}")
+          .log()
+          .method()
+          .log()
+          .uri()
+          .log()
+          .headers()
+          .post("http://localhost:${port.value}/admin/config")
+          .then()
+          .statusCode(200)
+          .log()
+          .ifError()
+    }
+  }
+
+  class Cognito {
+    private lateinit var wireMock: WireMockServer
+    private lateinit var cognitoMock: CognitoWireMock
+
+    fun start() {
+      wireMock = WireMockServer(wireMockConfig().dynamicPort())
+      wireMock.start()
+      cognitoMock = CognitoWireMock(wireMock)
+      cognitoMock.setupStubs()
+    }
+
+    fun stop() {
+      wireMock.stop()
+    }
+
+    fun applyTo(config: Config): Config {
+      return config.copy(
+          cognitoConfig =
+              CognitoConfig(
+                  userPoolId = cognitoMock.userPoolId,
+                  clientId = cognitoMock.clientId,
+                  clientSecret = cognitoMock.clientSecret,
+                  domain = cognitoMock.domain,
+                  region = cognitoMock.region,
+                  requiredGroup = "liflig-active",
+                  bypassEnabled = false,
+                  issuerUrlOverride = cognitoMock.issuer,
+                  authBaseOverride = cognitoMock.authBaseUrl,
+                  appBaseUrl = "http://localhost:${config.apiOptions.serverPort.value}",
+              )
+      )
+    }
+
+    fun generateAccessToken(
+        username: String = "test-user",
+        groups: List<String> = listOf("liflig-active"),
+    ): String = cognitoMock.generateAccessToken(username, groups)
+
+    fun baseUrl(): String = wireMock.baseUrl()
+  }
 }
 
 interface WebhookPayload {
diff --git a/src/test/kotlin/test/util/CognitoWireMock.kt b/src/test/kotlin/test/util/CognitoWireMock.kt
new file mode 100644
index 00000000..9995f36f
--- /dev/null
+++ b/src/test/kotlin/test/util/CognitoWireMock.kt
@@ -0,0 +1,102 @@
+package test.util
+
+import com.github.tomakehurst.wiremock.WireMockServer
+import com.github.tomakehurst.wiremock.client.WireMock
+import com.nimbusds.jose.JWSAlgorithm
+import com.nimbusds.jose.JWSHeader
+import com.nimbusds.jose.JWSSigner
+import com.nimbusds.jose.crypto.RSASSASigner
+import com.nimbusds.jose.jwk.JWKSet
+import com.nimbusds.jose.jwk.KeyUse
+import com.nimbusds.jose.jwk.RSAKey
+import com.nimbusds.jose.jwk.gen.RSAKeyGenerator
+import com.nimbusds.jwt.JWTClaimsSet
+import com.nimbusds.jwt.SignedJWT
+import java.util.Date
+import java.util.UUID
+
+class CognitoWireMock(private val wireMock: WireMockServer) {
+  private val rsaKey: RSAKey =
+      RSAKeyGenerator(2048)
+          .keyID(UUID.randomUUID().toString())
+          .keyUse(KeyUse.SIGNATURE)
+          .algorithm(JWSAlgorithm.RS256)
+          .generate()
+
+  private val signer: JWSSigner = RSASSASigner(rsaKey)
+
+  val jwksJson: String = JWKSet(listOf(rsaKey.toPublicJWK())).toString()
+
+  val issuer: String
+    get() = "${wireMock.baseUrl()}/cognito-idp/eu-north-1_test"
+
+  val authBaseUrl: String
+    get() = wireMock.baseUrl()
+
+  val domain: String
+    get() = wireMock.baseUrl().removePrefix("http://").removePrefix("https://")
+
+  val region: String = "eu-north-1"
+
+  val userPoolId: String = "eu-north-1_test"
+
+  val clientId: String = "test-client-id"
+
+  val clientSecret: String = "test-client-secret"
+
+  fun setupStubs() {
+    wireMock.stubFor(
+        WireMock.get(WireMock.urlPathEqualTo("/cognito-idp/eu-north-1_test/.well-known/jwks.json"))
+            .willReturn(
+                WireMock.aResponse()
+                    .withHeader("Content-Type", "application/json")
+                    .withBody(jwksJson)
+            )
+    )
+
+    wireMock.stubFor(
+        WireMock.post(WireMock.urlPathEqualTo("/oauth2/token"))
+            .willReturn(
+                WireMock.aResponse()
+                    .withHeader("Content-Type", "application/json")
+                    .withBody(
+                        """
+                            {
+                                "access_token": "${generateAccessToken()}",
+                                "token_type": "Bearer",
+                                "expires_in": 3600
+                            }
+                            """
+                            .trimIndent()
+                    )
+            )
+    )
+  }
+
+  fun generateAccessToken(
+      username: String = "test-user",
+      groups: List<String> = listOf("liflig-active"),
+      expirationMinutes: Int = 60,
+  ): String {
+    val now = Date()
+    val expiration = Date(now.time + expirationMinutes * 60 * 1000L)
+
+    val claims =
+        JWTClaimsSet.Builder()
+            .issuer(issuer)
+            .subject(username)
+            .audience(clientId)
+            .issueTime(now)
+            .expirationTime(expiration)
+            .claim("cognito:username", username)
+            .claim("email", "$username@example.com")
+            .claim("cognito:groups", groups)
+            .build()
+
+    val signedJWT =
+        SignedJWT(JWSHeader.Builder(JWSAlgorithm.RS256).keyID(rsaKey.keyID).build(), claims)
+    signedJWT.sign(signer)
+
+    return signedJWT.serialize()
+  }
+}