diff --git a/backend/src/routes/authRoutes.js b/backend/src/routes/authRoutes.js
index 1798eed..e97c8d6 100644
--- a/backend/src/routes/authRoutes.js
+++ b/backend/src/routes/authRoutes.js
@@ -10,9 +10,20 @@ const { v4: uuidv4 } = require('uuid');
 const router = express.Router();
 const prisma = new PrismaClient();
 
-// Check if any admin users exist (for first-time setup)
+// Check if any admin users exist (for first-time setup) - INTERNAL ONLY
 router.get('/check-admin-users', async (req, res) => {
   try {
+    // Only allow this check from localhost or internal requests
+    const clientIP = req.ip || req.connection.remoteAddress;
+    const isLocalhost = clientIP === '127.0.0.1' || clientIP === '::1' || clientIP === '::ffff:127.0.0.1';
+    
+    if (!isLocalhost && !req.headers.host?.includes('localhost')) {
+      return res.status(403).json({ 
+        error: 'Access denied - admin check only available locally',
+        hasAdminUsers: true // Assume admin exists for security
+      });
+    }
+    
     const adminCount = await prisma.users.count({
       where: { role: 'admin' }
     });
@@ -25,7 +36,7 @@ router.get('/check-admin-users', async (req, res) => {
     console.error('Error checking admin users:', error);
     res.status(500).json({ 
       error: 'Failed to check admin users',
-      hasAdminUsers: false 
+      hasAdminUsers: true // Assume admin exists for security
     });
   }
 });
diff --git a/frontend/src/contexts/AuthContext.jsx b/frontend/src/contexts/AuthContext.jsx
index 8a9c9b6..a20c393 100644
--- a/frontend/src/contexts/AuthContext.jsx
+++ b/frontend/src/contexts/AuthContext.jsx
@@ -17,6 +17,10 @@ export const AuthProvider = ({ children }) => {
   const [isLoading, setIsLoading] = useState(true)
   const [permissionsLoading, setPermissionsLoading] = useState(false)
   const [needsFirstTimeSetup, setNeedsFirstTimeSetup] = useState(false)
+  
+  // TEMPORARY DEBUG: Force admin setup for testing
+  // Remove this line after debugging
+  setNeedsFirstTimeSetup(true)
   const [checkingSetup, setCheckingSetup] = useState(true)
 
   // Initialize auth state from localStorage
@@ -231,8 +235,10 @@ export const AuthProvider = ({ children }) => {
       
       if (response.ok) {
         const data = await response.json()
+        console.log('Admin check response:', data) // Debug log
         setNeedsFirstTimeSetup(!data.hasAdminUsers)
       } else {
+        console.log('Admin check failed:', response.status, response.statusText) // Debug log
         // If endpoint doesn't exist or fails, assume setup is needed
         setNeedsFirstTimeSetup(true)
       }