diff --git a/admin/actions.go b/admin/actions.go
new file mode 100644
index 0000000..00408ec
--- /dev/null
+++ b/admin/actions.go
@@ -0,0 +1,58 @@
+package admin
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+
+	"github.com/ProxySQL/dbdeployer/defaults"
+)
+
+// ExecuteSandboxScript runs a lifecycle script (start, stop, restart) in a sandbox directory.
+// It tries <script> first, then <script>_all for multi-node sandboxes.
+func ExecuteSandboxScript(sandboxName string, script string) error {
+	sbDir := sandboxDirFor(sandboxName)
+
+	scriptPath := filepath.Join(sbDir, script)
+	if _, err := os.Stat(scriptPath); err != nil {
+		// Try the _all variant for multi-node sandboxes.
+		scriptPath = filepath.Join(sbDir, script+"_all")
+		if _, err2 := os.Stat(scriptPath); err2 != nil {
+			return fmt.Errorf("script %q not found in %s", script, sbDir)
+		}
+	}
+
+	cmd := exec.Command("bash", scriptPath)
+	output, err := cmd.CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("%s failed: %s: %w", script, string(output), err)
+	}
+	return nil
+}
+
+// DestroySandbox stops a sandbox and removes its directory and catalog entry.
+func DestroySandbox(sandboxName string) error {
+	sbDir := sandboxDirFor(sandboxName)
+
+	// Try stop (log warning if fails — sandbox may already be stopped).
+	if err := ExecuteSandboxScript(sandboxName, "stop"); err != nil {
+		fmt.Printf("Warning: failed to stop sandbox %s during destruction: %v\n", sandboxName, err)
+	}
+
+	// Remove directory.
+	if err := os.RemoveAll(sbDir); err != nil {
+		return fmt.Errorf("removing %s: %w", sbDir, err)
+	}
+
+	// Remove from catalog. The catalog key is the full destination path.
+	if err := defaults.DeleteFromCatalog(sbDir); err != nil {
+		return fmt.Errorf("removing %s from catalog: %w", sandboxName, err)
+	}
+	return nil
+}
+
+// sandboxDirFor resolves the full path for a sandbox name.
+func sandboxDirFor(sandboxName string) string {
+	return filepath.Join(defaults.Defaults().SandboxHome, sandboxName)
+}
diff --git a/admin/auth.go b/admin/auth.go
new file mode 100644
index 0000000..32ec204
--- /dev/null
+++ b/admin/auth.go
@@ -0,0 +1,75 @@
+package admin
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"net/http"
+	"sync"
+	"time"
+)
+
+type AuthManager struct {
+	otp      string
+	otpUsed  bool
+	sessions map[string]time.Time
+	mu       sync.RWMutex
+}
+
+func NewAuthManager() *AuthManager {
+	otp := generateOTP()
+	return &AuthManager{
+		otp:      otp,
+		sessions: make(map[string]time.Time),
+	}
+}
+
+func (a *AuthManager) OTP() string {
+	return a.otp
+}
+
+func (a *AuthManager) ValidateOTP(token string) bool {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	if a.otpUsed || token != a.otp {
+		return false
+	}
+	a.otpUsed = true
+	return true
+}
+
+func (a *AuthManager) CreateSession() string {
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	sessionID := generateOTP()
+	a.sessions[sessionID] = time.Now().Add(1 * time.Hour)
+	return sessionID
+}
+
+func (a *AuthManager) ValidateSession(r *http.Request) bool {
+	cookie, err := r.Cookie("dbdeployer_session")
+	if err != nil {
+		return false
+	}
+	a.mu.RLock()
+	defer a.mu.RUnlock()
+	expiry, ok := a.sessions[cookie.Value]
+	return ok && time.Now().Before(expiry)
+}
+
+func (a *AuthManager) AuthMiddleware(next http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		if !a.ValidateSession(r) {
+			http.Redirect(w, r, "/login", http.StatusSeeOther)
+			return
+		}
+		next(w, r)
+	}
+}
+
+func generateOTP() string {
+	b := make([]byte, 16)
+	if _, err := rand.Read(b); err != nil {
+		panic("crypto/rand.Read failed: " + err.Error())
+	}
+	return hex.EncodeToString(b)
+}
diff --git a/admin/handlers.go b/admin/handlers.go
new file mode 100644
index 0000000..0ac31eb
--- /dev/null
+++ b/admin/handlers.go
@@ -0,0 +1,144 @@
+package admin
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+)
+
+func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) {
+	token := r.URL.Query().Get("token")
+	if token == "" {
+		if err := s.templates.ExecuteTemplate(w, "login.html", nil); err != nil {
+			http.Error(w, "template error: "+err.Error(), http.StatusInternalServerError)
+		}
+		return
+	}
+	if !s.auth.ValidateOTP(token) {
+		http.Error(w, "Invalid or expired token", http.StatusUnauthorized)
+		return
+	}
+	sessionID := s.auth.CreateSession()
+	http.SetCookie(w, &http.Cookie{
+		Name:     "dbdeployer_session",
+		Value:    sessionID,
+		Path:     "/",
+		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
+	})
+	http.Redirect(w, r, "/", http.StatusSeeOther)
+}
+
+func (s *Server) handleDashboard(w http.ResponseWriter, r *http.Request) {
+	if r.URL.Path != "/" {
+		http.NotFound(w, r)
+		return
+	}
+	sandboxes, err := GetAllSandboxes()
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	data := map[string]interface{}{
+		"Sandboxes": sandboxes,
+		"Count":     len(sandboxes),
+	}
+	if err := s.templates.ExecuteTemplate(w, "dashboard.html", data); err != nil {
+		http.Error(w, "template error: "+err.Error(), http.StatusInternalServerError)
+	}
+}
+
+func (s *Server) handleListSandboxes(w http.ResponseWriter, r *http.Request) {
+	sandboxes, err := GetAllSandboxes()
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	_ = json.NewEncoder(w).Encode(sandboxes)
+}
+
+func (s *Server) handleRefreshSandboxList(w http.ResponseWriter, r *http.Request) {
+	sandboxes, err := GetAllSandboxes()
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	data := map[string]interface{}{
+		"Sandboxes": sandboxes,
+		"Count":     len(sandboxes),
+	}
+	if err := s.templates.ExecuteTemplate(w, "sandbox-list.html", data); err != nil {
+		http.Error(w, "template error: "+err.Error(), http.StatusInternalServerError)
+	}
+}
+
+func (s *Server) handleSandboxAction(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodPost {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	// Parse: /api/sandboxes/<name>/<action>
+	parts := strings.Split(strings.TrimPrefix(r.URL.Path, "/api/sandboxes/"), "/")
+	if len(parts) != 2 {
+		http.Error(w, "Invalid path format. Expected /api/sandboxes/<name>/<action>", http.StatusBadRequest)
+		return
+	}
+	rawName, action := parts[0], parts[1]
+
+	// URL-decode the sandbox name (it was urlquery-encoded in the template).
+	name, err := url.PathUnescape(rawName)
+	if err != nil {
+		http.Error(w, "Invalid sandbox name encoding", http.StatusBadRequest)
+		return
+	}
+
+	// Reject names that could escape the sandbox directory.
+	if name == "" || strings.ContainsAny(name, "/\\") || name == "." || name == ".." {
+		http.Error(w, "Invalid sandbox name", http.StatusBadRequest)
+		return
+	}
+
+	var actionErr error
+	switch action {
+	case "start":
+		actionErr = ExecuteSandboxScript(name, "start")
+	case "stop":
+		actionErr = ExecuteSandboxScript(name, "stop")
+	case "destroy":
+		actionErr = DestroySandbox(name)
+	default:
+		http.Error(w, "Unknown action", http.StatusBadRequest)
+		return
+	}
+
+	if actionErr != nil {
+		http.Error(w, actionErr.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	// Wait briefly for start/stop to take effect before reading status.
+	// Start scripts launch mysqld in the background; the PID file
+	// and status script need a moment to reflect the new state.
+	if action == "start" || action == "stop" {
+		time.Sleep(2 * time.Second)
+	}
+
+	// Return updated sandbox list fragment for HTMX.
+	sandboxes, err := GetAllSandboxes()
+	if err != nil {
+		http.Error(w, "Action succeeded but failed to refresh: "+err.Error(), http.StatusInternalServerError)
+		return
+	}
+	data := map[string]interface{}{
+		"Sandboxes": sandboxes,
+		"Count":     len(sandboxes),
+	}
+	if err := s.templates.ExecuteTemplate(w, "sandbox-list.html", data); err != nil {
+		http.Error(w, "template error: "+err.Error(), http.StatusInternalServerError)
+	}
+}
diff --git a/admin/sandbox_status.go b/admin/sandbox_status.go
new file mode 100644
index 0000000..2c7b2a1
--- /dev/null
+++ b/admin/sandbox_status.go
@@ -0,0 +1,162 @@
+package admin
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"syscall"
+
+	"github.com/ProxySQL/dbdeployer/common"
+	"github.com/ProxySQL/dbdeployer/defaults"
+)
+
+// SandboxStatus represents a sandbox with its current running status.
+type SandboxStatus struct {
+	Name     string        `json:"name"`
+	Dir      string        `json:"dir"`
+	SBType   string        `json:"type"`
+	Version  string        `json:"version"`
+	Flavor   string        `json:"flavor,omitempty"`
+	Ports    []int         `json:"ports"`
+	Nodes    []SandboxNode `json:"nodes,omitempty"`
+	Running  bool          `json:"running"`
+	Provider string        `json:"provider,omitempty"`
+}
+
+// SandboxNode represents a node within a multi-node sandbox.
+type SandboxNode struct {
+	Name    string `json:"name"`
+	Dir     string `json:"dir"`
+	Port    int    `json:"port"`
+	Running bool   `json:"running"`
+}
+
+// GetAllSandboxes reads the sandbox catalog and checks running status for each sandbox.
+func GetAllSandboxes() ([]SandboxStatus, error) {
+	catalog, err := defaults.ReadCatalog()
+	if err != nil {
+		return nil, fmt.Errorf("reading sandbox catalog: %w", err)
+	}
+
+	sandboxHome := defaults.Defaults().SandboxHome
+
+	var result []SandboxStatus
+	for name, item := range catalog {
+		// The catalog key is the full path (Destination), use the base name as the display name.
+		sbName := name
+		sbDir := item.Destination
+		if sbDir == "" {
+			sbDir = filepath.Join(sandboxHome, name)
+		}
+		// If the name looks like a full path, extract just the base name.
+		if strings.Contains(sbName, "/") {
+			sbName = filepath.Base(sbName)
+		}
+
+		status := SandboxStatus{
+			Name:    sbName,
+			Dir:     sbDir,
+			SBType:  item.SBType,
+			Version: item.Version,
+			Flavor:  item.Flavor,
+			Ports:   item.Port,
+		}
+
+		// Determine provider from flavor.
+		switch strings.ToLower(item.Flavor) {
+		case "postgresql", "postgres":
+			status.Provider = "postgresql"
+		case "tidb":
+			status.Provider = "tidb"
+		case "ndb":
+			status.Provider = "ndb"
+		case "pxc":
+			status.Provider = "pxc"
+		case "mariadb":
+			status.Provider = "mariadb"
+		default:
+			status.Provider = "mysql"
+		}
+
+		isMulti := len(item.Nodes) > 0
+
+		if isMulti {
+			// Multi-node sandbox: check each node.
+			for _, nodeRelPath := range item.Nodes {
+				nodeDir := filepath.Join(sbDir, nodeRelPath)
+				nodeName := filepath.Base(nodeRelPath)
+
+				// Try to get node port from sandbox_description in node dir.
+				nodePort := 0
+				if desc, err := common.ReadSandboxDescription(nodeDir); err == nil {
+					if len(desc.Port) > 0 {
+						nodePort = desc.Port[0]
+					}
+				}
+
+				nodeRunning := isRunning(nodeDir)
+				status.Nodes = append(status.Nodes, SandboxNode{
+					Name:    nodeName,
+					Dir:     nodeDir,
+					Port:    nodePort,
+					Running: nodeRunning,
+				})
+			}
+			// Overall running = at least one node running.
+			for _, n := range status.Nodes {
+				if n.Running {
+					status.Running = true
+					break
+				}
+			}
+		} else {
+			status.Running = isRunning(sbDir)
+		}
+
+		result = append(result, status)
+	}
+
+	return result, nil
+}
+
+// isRunning checks whether a sandbox is running by executing its status script.
+// This is more reliable than PID file checking because the status script knows
+// the exact PID file location for each MySQL version and configuration.
+func isRunning(sandboxDir string) bool {
+	// Try the sandbox's own status script first.
+	// The script outputs "<name> on" or "<name> off" but always exits 0,
+	// so we parse the output text instead of checking the exit code.
+	statusScript := filepath.Join(sandboxDir, "status")
+	if _, err := os.Stat(statusScript); err == nil {
+		cmd := exec.Command("bash", statusScript)
+		output, err := cmd.Output()
+		if err == nil {
+			return strings.Contains(string(output), " on")
+		}
+	}
+
+	// Fallback: check common PID file locations.
+	for _, pidName := range []string{"data/mysql.pid", "data/mysqld.pid"} {
+		pidFile := filepath.Join(sandboxDir, pidName)
+		data, err := os.ReadFile(pidFile)
+		if err != nil {
+			continue
+		}
+		pidStr := strings.TrimSpace(string(data))
+		pid, err := strconv.Atoi(pidStr)
+		if err != nil || pid <= 0 {
+			continue
+		}
+		proc, err := os.FindProcess(pid)
+		if err != nil {
+			continue
+		}
+		if proc.Signal(syscall.Signal(0)) == nil {
+			return true
+		}
+	}
+	return false
+}
diff --git a/admin/server.go b/admin/server.go
new file mode 100644
index 0000000..d1cfd8c
--- /dev/null
+++ b/admin/server.go
@@ -0,0 +1,102 @@
+package admin
+
+import (
+	"embed"
+	"fmt"
+	"html/template"
+	"net"
+	"net/http"
+	"os/exec"
+	"runtime"
+	"time"
+)
+
+//go:embed templates static
+var content embed.FS
+
+// Server holds the HTTP server state.
+type Server struct {
+	auth      *AuthManager
+	port      int
+	templates *template.Template
+}
+
+// NewServer creates a new admin Server.
+func NewServer(port int) (*Server, error) {
+	tmpl, err := template.New("").ParseFS(content,
+		"templates/*.html",
+		"templates/components/*.html",
+	)
+	if err != nil {
+		return nil, fmt.Errorf("parsing templates: %w", err)
+	}
+	return &Server{
+		auth:      NewAuthManager(),
+		port:      port,
+		templates: tmpl,
+	}, nil
+}
+
+// Start binds the listener and begins serving requests. It blocks until the server exits.
+func (s *Server) Start() error {
+	mux := http.NewServeMux()
+
+	// Static files.
+	mux.Handle("/static/", http.FileServer(http.FS(content)))
+
+	// Auth routes.
+	mux.HandleFunc("/login", s.handleLogin)
+
+	// Dashboard (auth required).
+	mux.HandleFunc("/", s.auth.AuthMiddleware(s.handleDashboard))
+
+	// API (auth required).
+	mux.HandleFunc("/api/sandboxes", s.auth.AuthMiddleware(s.handleListSandboxes))
+	mux.HandleFunc("/api/sandboxes/refresh", s.auth.AuthMiddleware(s.handleRefreshSandboxList))
+	mux.HandleFunc("/api/sandboxes/", s.auth.AuthMiddleware(s.handleSandboxAction))
+
+	addr := fmt.Sprintf("127.0.0.1:%d", s.port)
+	url := fmt.Sprintf("http://%s/login?token=%s", addr, s.auth.OTP())
+
+	fmt.Printf("\n  dbdeployer admin\n")
+	fmt.Printf("  ────────────────────────────────\n")
+	fmt.Printf("  URL: %s\n", url)
+	fmt.Printf("  Press Ctrl+C to stop\n\n")
+
+	// Open browser AFTER listener is ready
+	server := &http.Server{
+		Addr:         addr,
+		Handler:      mux,
+		ReadTimeout:  15 * time.Second,
+		WriteTimeout: 30 * time.Second,
+		IdleTimeout:  60 * time.Second,
+	}
+
+	listener, err := net.Listen("tcp", addr)
+	if err != nil {
+		return fmt.Errorf("listen on %s: %w", addr, err)
+	}
+
+	// Now that listener is ready, open browser
+	if err := openBrowser(url); err != nil {
+		fmt.Printf("  Warning: could not open browser: %v\n", err)
+		fmt.Printf("  Open this URL manually: %s\n\n", url)
+	}
+
+	return server.Serve(listener)
+}
+
+func openBrowser(url string) error {
+	var cmd *exec.Cmd
+	switch runtime.GOOS {
+	case "linux":
+		cmd = exec.Command("xdg-open", url)
+	case "darwin":
+		cmd = exec.Command("open", url)
+	case "windows":
+		cmd = exec.Command("cmd", "/c", "start", url)
+	default:
+		return fmt.Errorf("unsupported OS: %s", runtime.GOOS)
+	}
+	return cmd.Start()
+}
diff --git a/admin/static/.gitkeep b/admin/static/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/admin/static/placeholder.txt b/admin/static/placeholder.txt
new file mode 100644
index 0000000..48a4503
--- /dev/null
+++ b/admin/static/placeholder.txt
@@ -0,0 +1 @@
+Static assets directory.
diff --git a/admin/templates/components/sandbox-list.html b/admin/templates/components/sandbox-list.html
new file mode 100644
index 0000000..fd39c91
--- /dev/null
+++ b/admin/templates/components/sandbox-list.html
@@ -0,0 +1,58 @@
+{{define "sandbox-list.html"}}
+{{if eq (len .Sandboxes) 0}}
+  <div class="empty">No sandboxes deployed yet. Run <code>dbdeployer deploy single &lt;version&gt;</code> to create one.</div>
+{{else}}
+  <div class="sandbox-grid">
+  {{range .Sandboxes}}
+    <div class="card">
+      <div class="card-header">
+        <span class="card-name">{{.Name}}</span>
+        {{if .Running}}
+          <span class="badge badge-running">running</span>
+        {{else}}
+          <span class="badge badge-stopped">stopped</span>
+        {{end}}
+      </div>
+      <div class="meta">
+        <span>{{.SBType}}</span>
+        {{if .Version}}<span>{{.Version}}</span>{{end}}
+        {{if .Flavor}}<span>{{.Flavor}}</span>{{end}}
+        {{if .Ports}}<span>port{{if gt (len .Ports) 1}}s{{end}}: {{range $i, $p := .Ports}}{{if $i}}, {{end}}{{$p}}{{end}}</span>{{end}}
+      </div>
+      {{if .Nodes}}
+      <div class="nodes">
+        {{range .Nodes}}
+        <div class="node-row">
+          <div class="node-dot {{if .Running}}running{{else}}stopped{{end}}"></div>
+          <span>{{.Name}}</span>
+          {{if .Port}}<span style="color:#6e7681">:{{.Port}}</span>{{end}}
+        </div>
+        {{end}}
+      </div>
+      {{end}}
+      <div class="actions">
+        <button class="btn btn-start"
+          hx-post="/api/sandboxes/{{.Name | urlquery}}/start"
+          hx-target="#sandbox-list"
+          hx-swap="innerHTML">
+          Start
+        </button>
+        <button class="btn btn-stop"
+          hx-post="/api/sandboxes/{{.Name | urlquery}}/stop"
+          hx-target="#sandbox-list"
+          hx-swap="innerHTML">
+          Stop
+        </button>
+        <button class="btn btn-destroy"
+          hx-post="/api/sandboxes/{{.Name | urlquery}}/destroy"
+          hx-target="#sandbox-list"
+          hx-swap="innerHTML"
+          hx-confirm="Destroy sandbox {{.Name}}? This cannot be undone.">
+          Destroy
+        </button>
+      </div>
+    </div>
+  {{end}}
+  </div>
+{{end}}
+{{end}}
diff --git a/admin/templates/dashboard.html b/admin/templates/dashboard.html
new file mode 100644
index 0000000..345af75
--- /dev/null
+++ b/admin/templates/dashboard.html
@@ -0,0 +1,129 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>dbdeployer admin</title>
+  <script src="https://unpkg.com/htmx.org@1.9.12/dist/htmx.min.js" integrity="sha384-ujb1lZYygJmzgSwoxRggbCHcjc0rB2XoQrxeTUQyRjrOnlCoYta87iKBWq3EsdM2" crossorigin="anonymous"></script>
+  <style>
+    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      background: #0d1117;
+      color: #c9d1d9;
+      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif;
+      min-height: 100vh;
+    }
+    header {
+      background: #161b22;
+      border-bottom: 1px solid #30363d;
+      padding: 0.85rem 1.5rem;
+      display: flex;
+      align-items: center;
+      gap: 1rem;
+    }
+    header h1 { font-size: 1rem; color: #e6edf3; }
+    header .count {
+      font-size: 0.8rem;
+      color: #8b949e;
+      background: #21262d;
+      border: 1px solid #30363d;
+      border-radius: 12px;
+      padding: 0.1rem 0.6rem;
+    }
+    main { padding: 1.5rem; max-width: 1100px; margin: 0 auto; }
+    h2 { font-size: 0.85rem; color: #8b949e; text-transform: uppercase; letter-spacing: 0.05em; margin-bottom: 0.75rem; }
+    .sandbox-grid {
+      display: grid;
+      grid-template-columns: repeat(auto-fill, minmax(300px, 1fr));
+      gap: 1rem;
+      margin-bottom: 2rem;
+    }
+    .card {
+      background: #161b22;
+      border: 1px solid #30363d;
+      border-radius: 8px;
+      padding: 1rem 1.25rem;
+    }
+    .card-header {
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      margin-bottom: 0.6rem;
+    }
+    .card-name { font-size: 0.95rem; color: #e6edf3; font-weight: 600; word-break: break-all; }
+    .badge {
+      font-size: 0.7rem;
+      padding: 0.15rem 0.5rem;
+      border-radius: 12px;
+      font-weight: 600;
+      white-space: nowrap;
+    }
+    .badge-running { background: #1a3a1a; color: #3fb950; border: 1px solid #238636; }
+    .badge-stopped { background: #2d1a1a; color: #f85149; border: 1px solid #6e1717; }
+    .meta {
+      font-size: 0.78rem;
+      color: #8b949e;
+      margin-bottom: 0.75rem;
+      line-height: 1.6;
+    }
+    .meta span { margin-right: 0.75rem; }
+    .nodes { margin-bottom: 0.75rem; }
+    .node-row {
+      display: flex;
+      align-items: center;
+      gap: 0.5rem;
+      font-size: 0.8rem;
+      color: #8b949e;
+      padding: 0.2rem 0;
+    }
+    .node-dot {
+      width: 7px; height: 7px;
+      border-radius: 50%;
+      flex-shrink: 0;
+    }
+    .node-dot.running { background: #3fb950; }
+    .node-dot.stopped { background: #f85149; }
+    .actions { display: flex; gap: 0.5rem; flex-wrap: wrap; }
+    .btn {
+      font-size: 0.78rem;
+      padding: 0.3rem 0.65rem;
+      border-radius: 5px;
+      cursor: pointer;
+      border: 1px solid;
+    }
+    .btn-start {
+      background: #1a3a1a; color: #3fb950; border-color: #238636;
+    }
+    .btn-start:hover { background: #238636; color: #fff; }
+    .btn-stop {
+      background: #2d1a1a; color: #f85149; border-color: #6e1717;
+    }
+    .btn-stop:hover { background: #6e1717; color: #fff; }
+    .btn-destroy {
+      background: #21262d; color: #8b949e; border-color: #30363d;
+    }
+    .btn-destroy:hover { background: #6e1717; color: #fff; border-color: #6e1717; }
+    .empty {
+      text-align: center;
+      color: #8b949e;
+      padding: 3rem;
+      font-size: 0.9rem;
+    }
+    .htmx-indicator { opacity: 0.5; }
+  </style>
+</head>
+<body>
+  <header>
+    <h1>dbdeployer admin</h1>
+    <span class="count">{{.Count}} sandbox{{if ne .Count 1}}es{{end}}</span>
+  </header>
+  <main>
+    <div id="sandbox-list"
+         hx-get="/api/sandboxes/refresh"
+         hx-trigger="every 5s"
+         hx-swap="innerHTML">
+      {{template "sandbox-list.html" .}}
+    </div>
+  </main>
+</body>
+</html>
diff --git a/admin/templates/login.html b/admin/templates/login.html
new file mode 100644
index 0000000..f1898e8
--- /dev/null
+++ b/admin/templates/login.html
@@ -0,0 +1,87 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>dbdeployer admin — login</title>
+  <style>
+    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+    body {
+      background: #0d1117;
+      color: #c9d1d9;
+      font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      min-height: 100vh;
+    }
+    .card {
+      background: #161b22;
+      border: 1px solid #30363d;
+      border-radius: 8px;
+      padding: 2rem 2.5rem;
+      width: 100%;
+      max-width: 380px;
+    }
+    h1 {
+      font-size: 1.25rem;
+      color: #e6edf3;
+      margin-bottom: 0.25rem;
+    }
+    p.subtitle {
+      font-size: 0.85rem;
+      color: #8b949e;
+      margin-bottom: 1.5rem;
+    }
+    label {
+      display: block;
+      font-size: 0.85rem;
+      color: #8b949e;
+      margin-bottom: 0.4rem;
+    }
+    input[type="text"] {
+      width: 100%;
+      padding: 0.5rem 0.75rem;
+      background: #0d1117;
+      border: 1px solid #30363d;
+      border-radius: 6px;
+      color: #c9d1d9;
+      font-size: 0.9rem;
+      margin-bottom: 1rem;
+    }
+    input[type="text"]:focus {
+      outline: none;
+      border-color: #388bfd;
+    }
+    button {
+      width: 100%;
+      padding: 0.55rem;
+      background: #238636;
+      border: 1px solid #2ea043;
+      border-radius: 6px;
+      color: #fff;
+      font-size: 0.9rem;
+      cursor: pointer;
+    }
+    button:hover { background: #2ea043; }
+    .hint {
+      margin-top: 1rem;
+      font-size: 0.78rem;
+      color: #6e7681;
+      text-align: center;
+    }
+  </style>
+</head>
+<body>
+  <div class="card">
+    <h1>dbdeployer admin</h1>
+    <p class="subtitle">Enter your one-time access token</p>
+    <form method="GET" action="/login">
+      <label for="token">Access token</label>
+      <input type="text" id="token" name="token" placeholder="paste token here" autofocus>
+      <button type="submit">Sign in</button>
+    </form>
+    <p class="hint">The token was printed to the terminal when you started dbdeployer admin ui.</p>
+  </div>
+</body>
+</html>
diff --git a/cmd/admin.go b/cmd/admin.go
index 03a2569..131829a 100644
--- a/cmd/admin.go
+++ b/cmd/admin.go
@@ -17,6 +17,7 @@ package cmd
 
 import (
 	"fmt"
+	"github.com/ProxySQL/dbdeployer/admin"
 	"github.com/ProxySQL/dbdeployer/defaults"
 	"os"
 	"path"
@@ -518,6 +519,23 @@ func SandboxNames(n int) cobra.PositionalArgs {
 	}
 }
 
+var adminUiCmd = &cobra.Command{
+	Use:   "ui",
+	Short: "Start the admin web UI",
+	Long: `Starts a local web server with a dashboard for managing deployed sandboxes.
+Opens a browser with a one-time authentication token.`,
+	Run: func(cmd *cobra.Command, args []string) {
+		port, _ := cmd.Flags().GetInt("port")
+		server, err := admin.NewServer(port)
+		if err != nil {
+			common.Exitf(1, "Failed to start admin server: %s", err)
+		}
+		if err := server.Start(); err != nil {
+			common.Exitf(1, "Server error: %s", err)
+		}
+	},
+}
+
 func init() {
 	rootCmd.AddCommand(adminCmd)
 	adminCmd.AddCommand(adminLockCmd)
@@ -526,6 +544,7 @@ func init() {
 	adminCmd.AddCommand(adminCapabilitiesCmd)
 	adminCmd.AddCommand(adminSetDefaultCmd)
 	adminCmd.AddCommand(adminRemoveDefaultCmd)
+	adminCmd.AddCommand(adminUiCmd)
 	adminUpgradeCmd.Flags().BoolP(globals.VerboseLabel, "", false, "Shows upgrade operations")
 	adminUpgradeCmd.Flags().BoolP(globals.DryRunLabel, "", false, "Shows upgrade operations, but don't execute them")
 
@@ -533,4 +552,6 @@ func init() {
 		defaults.Defaults().DefaultSandboxExecutable, "Name of the executable to run commands in the default sandbox")
 	adminRemoveDefaultCmd.PersistentFlags().StringP(globals.DefaultSandboxExecutable, "",
 		defaults.Defaults().DefaultSandboxExecutable, "Name of the executable to run commands in the default sandbox")
+
+	adminUiCmd.Flags().Int("port", 9090, "Port for the admin web UI")
 }
diff --git a/docs/superpowers/specs/2026-03-24-admin-webui-poc-design.md b/docs/superpowers/specs/2026-03-24-admin-webui-poc-design.md
new file mode 100644
index 0000000..3fa195f
--- /dev/null
+++ b/docs/superpowers/specs/2026-03-24-admin-webui-poc-design.md
@@ -0,0 +1,132 @@
+# Admin Web UI POC Design
+
+**Date:** 2026-03-24
+**Author:** Rene (ProxySQL)
+**Status:** POC
+
+## Goal
+
+Prove that dbdeployer can be a platform, not just a CLI. A `dbdeployer admin` command launches a localhost web dashboard showing all deployed sandboxes with start/stop/destroy controls.
+
+## Scope (POC only)
+
+- Dashboard showing all sandboxes as cards grouped by topology
+- Start/stop/destroy actions via the UI
+- OTP authentication (CLI generates token, browser validates)
+- Localhost only (127.0.0.1)
+- Go templates + HTMX, embedded in binary
+
+## NOT in scope (future)
+
+- Deploy new sandboxes via UI
+- Real-time log streaming
+- Topology graph visualization
+- Multi-user / remote access
+- Persistent sessions
+
+## Architecture
+
+```
+dbdeployer admin
+  └─ starts HTTP server on 127.0.0.1:<port>
+  └─ generates OTP, prints to terminal
+  └─ opens browser to http://127.0.0.1:<port>/login?token=<otp>
+  └─ serves embedded HTML templates via Go's html/template
+  └─ HTMX handles dynamic actions (no page reload for start/stop/destroy)
+  └─ API endpoints read sandbox catalog + execute lifecycle commands
+```
+
+### Authentication Flow
+
+1. `dbdeployer admin` generates a random OTP (32-char hex)
+2. Prints: `Admin UI: http://127.0.0.1:9090/login?token=<otp>`
+3. Browser hits `/login?token=<otp>` → server validates → sets session cookie
+4. Session cookie used for all subsequent requests
+5. OTP is single-use (invalidated after first login)
+6. Session expires when server stops (in-memory)
+
+### API Endpoints
+
+| Method | Path | Description |
+|--------|------|-------------|
+| GET | `/login` | Validate OTP, set session cookie, redirect to dashboard |
+| GET | `/` | Dashboard (HTML) |
+| GET | `/api/sandboxes` | JSON list of all sandboxes |
+| POST | `/api/sandboxes/:name/start` | Start a sandbox |
+| POST | `/api/sandboxes/:name/stop` | Stop a sandbox |
+| POST | `/api/sandboxes/:name/destroy` | Destroy a sandbox (requires confirmation) |
+
+### Dashboard Layout
+
+**Header:** "dbdeployer admin" + sandbox count + server uptime
+
+**Sandbox cards grouped by topology:**
+
+```
+┌─ Replication: rsandbox_8_4_4 ────────────────────────┐
+│                                                        │
+│  ┌─ master ─────────┐  ┌─ node1 ──────────┐          │
+│  │ Port: 8404       │  │ Port: 8405       │          │
+│  │ ● Running        │  │ ● Running        │          │
+│  │ [Stop]           │  │ [Stop]           │          │
+│  └──────────────────┘  └──────────────────┘          │
+│                                                        │
+│  ┌─ node2 ──────────┐  ┌─ proxysql ───────┐          │
+│  │ Port: 8406       │  │ Port: 6032/6033  │          │
+│  │ ● Running        │  │ ● Running        │          │
+│  │ [Stop]           │  │ [Stop]           │          │
+│  └──────────────────┘  └──────────────────┘          │
+│                                                        │
+│  [Stop All]  [Destroy] ──────────────────────────────│
+└────────────────────────────────────────────────────────┘
+
+┌─ Single: msb_8_4_4 ──────────────────────────────────┐
+│  Port: 8404  │  ● Running  │  [Stop] [Destroy]       │
+└────────────────────────────────────────────────────────┘
+```
+
+### Sandbox Data Source
+
+Read from `~/.dbdeployer/sandboxes.json` (the existing sandbox catalog). Each entry has:
+- Sandbox name and directory
+- Type (single, multiple, replication, group, etc.)
+- Ports
+- Nodes (for multi-node topologies)
+
+Status is determined by checking if the sandbox's PID file exists / process is running.
+
+### Technology
+
+- **Server:** Go `net/http` (stdlib, no framework)
+- **Templates:** Go `html/template` with `//go:embed`
+- **Interactivity:** HTMX (loaded from CDN or embedded)
+- **Styling:** Inline CSS in the template (single file, dark theme matching the website)
+- **Session:** In-memory map, cookie-based
+
+## File Structure
+
+```
+cmd/admin.go              # Cobra command: dbdeployer admin
+admin/
+  server.go               # HTTP server, routes, middleware
+  auth.go                 # OTP generation, session management
+  handlers.go             # API handlers (list, start, stop, destroy)
+  sandbox_status.go       # Read catalog, check process status
+  templates/
+    layout.html           # Base layout (head, nav, footer)
+    dashboard.html         # Dashboard with sandbox cards
+    login.html            # Login page (auto-submits with OTP)
+    components/
+      sandbox-card.html   # Single sandbox card partial
+      topology-group.html # Topology group wrapper partial
+  static/
+    htmx.min.js           # HTMX library (embedded)
+    style.css             # Dashboard styles
+```
+
+All templates and static files embedded via `//go:embed admin/templates/* admin/static/*`.
+
+## Port Selection
+
+Default: 9090. If busy, find next free port. Print the URL to terminal.
+Flag: `--port` to override.