diff --git a/app/api/admin/guests/[id]/route.ts b/app/api/admin/guests/[id]/route.ts
new file mode 100644
index 0000000..121d44a
--- /dev/null
+++ b/app/api/admin/guests/[id]/route.ts
@@ -0,0 +1,39 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { eq } from 'drizzle-orm';
+import { db, guests } from '@/lib/db';
+import { verifyAdminToken } from '@/lib/auth/tokens';
+
+export async function PATCH(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  if (!verifyAdminToken(request)) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+  const { id } = await params;
+  const body = await request.json().catch(() => ({}));
+  const name = (body?.name ?? '').toString().trim();
+  if (!name) {
+    return NextResponse.json({ error: 'name is required' }, { status: 400 });
+  }
+  const [row] = await db
+    .update(guests)
+    .set({ name, updatedAt: new Date() })
+    .where(eq(guests.id, id))
+    .returning();
+  if (!row) return NextResponse.json({ error: 'Not found' }, { status: 404 });
+  return NextResponse.json({ success: true, guest: row });
+}
+
+export async function DELETE(
+  request: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  if (!verifyAdminToken(request)) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+  const { id } = await params;
+  const result = await db.delete(guests).where(eq(guests.id, id)).returning();
+  if (result.length === 0) return NextResponse.json({ error: 'Not found' }, { status: 404 });
+  return NextResponse.json({ success: true });
+}
diff --git a/app/api/admin/guests/route.ts b/app/api/admin/guests/route.ts
new file mode 100644
index 0000000..5f1f3a9
--- /dev/null
+++ b/app/api/admin/guests/route.ts
@@ -0,0 +1,25 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { desc } from 'drizzle-orm';
+import { db, guests } from '@/lib/db';
+import { verifyAdminToken } from '@/lib/auth/tokens';
+
+export async function GET(request: NextRequest) {
+  if (!verifyAdminToken(request)) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+  const rows = await db.select().from(guests).orderBy(desc(guests.createdAt));
+  return NextResponse.json({ success: true, guests: rows });
+}
+
+export async function POST(request: NextRequest) {
+  if (!verifyAdminToken(request)) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+  const body = await request.json().catch(() => ({}));
+  const name = (body?.name ?? '').toString().trim();
+  if (!name) {
+    return NextResponse.json({ error: 'name is required' }, { status: 400 });
+  }
+  const [row] = await db.insert(guests).values({ name }).returning();
+  return NextResponse.json({ success: true, guest: row }, { status: 201 });
+}