diff --git a/freeAccessStore.js b/freeAccessStore.js
new file mode 100644
index 0000000..a2bb3da
--- /dev/null
+++ b/freeAccessStore.js
@@ -0,0 +1,70 @@
+// freeAccessStore.js — persistent whitelist of shops granted free access
+const fs   = require('fs');
+const path = require('path');
+
+const dataFile = path.resolve(__dirname, 'data', 'freeAccess.json');
+const dataDir  = path.dirname(dataFile);
+
+if (!fs.existsSync(dataDir)) fs.mkdirSync(dataDir, { recursive: true });
+if (!fs.existsSync(dataFile)) {
+  // seed with the shop that was previously hardcoded
+  fs.writeFileSync(dataFile, JSON.stringify({
+    "racewerksengg.myshopify.com": {
+      grantedAt: new Date().toISOString(),
+      expiresAt: null,
+      note: "Internal test shop (migrated from hardcode)"
+    }
+  }, null, 2), 'utf8');
+}
+
+function readStore() {
+  try { return JSON.parse(fs.readFileSync(dataFile, 'utf8')); }
+  catch { return {}; }
+}
+
+function saveStore(store) {
+  fs.writeFileSync(dataFile, JSON.stringify(store, null, 2), 'utf8');
+}
+
+function isShopAllowed(shop) {
+  if (!shop) return false;
+  const store = readStore();
+  const entry = store[shop.toLowerCase().trim()];
+  if (!entry) return false;
+  if (!entry.expiresAt) return true;          // permanent grant
+  return new Date(entry.expiresAt) > new Date();
+}
+
+function addShop(shop, expiresAt, note = '') {
+  const store = readStore();
+  const key = shop.toLowerCase().trim();
+  store[key] = {
+    grantedAt: new Date().toISOString(),
+    expiresAt: expiresAt || null,
+    note: note || '',
+  };
+  saveStore(store);
+  return store[key];
+}
+
+function removeShop(shop) {
+  const store = readStore();
+  const key = shop.toLowerCase().trim();
+  delete store[key];
+  saveStore(store);
+}
+
+function listShops() {
+  const store = readStore();
+  const now = new Date();
+  return Object.entries(store).map(([shop, entry]) => ({
+    shop,
+    grantedAt: entry.grantedAt,
+    expiresAt: entry.expiresAt,
+    note: entry.note || '',
+    expired: entry.expiresAt ? new Date(entry.expiresAt) <= now : false,
+    permanent: !entry.expiresAt,
+  }));
+}
+
+module.exports = { isShopAllowed, addShop, removeShop, listShops };
diff --git a/routes/adminPanel.js b/routes/adminPanel.js
new file mode 100644
index 0000000..3aed792
--- /dev/null
+++ b/routes/adminPanel.js
@@ -0,0 +1,369 @@
+// routes/adminPanel.js — password-protected admin panel for free-access shop management
+const express = require('express');
+const crypto  = require('crypto');
+const { isShopAllowed, addShop, removeShop, listShops } = require('../freeAccessStore');
+
+const router = express.Router();
+
+const ADMIN_USER = 'd4a-admin';
+const ADMIN_PASS = 'Data4autos@2026.';
+const COOKIE_NAME = 'd4a_admin_tok';
+const COOKIE_MAX_AGE = 8 * 60 * 60 * 1000; // 8 hours
+
+// In-memory valid tokens (cleared on server restart)
+const validTokens = new Set();
+
+// ── auth middleware ─────────────────────────────────────────────────────────
+function requireAuth(req, res, next) {
+  const tok = req.cookies?.[COOKIE_NAME] || req.headers['x-admin-token'];
+  if (tok && validTokens.has(tok)) return next();
+  if (req.path.startsWith('/api/')) return res.status(401).json({ error: 'Unauthorised' });
+  res.redirect('/d4a-admin');
+}
+
+// ── cookie parser (lightweight, no dependency) ──────────────────────────────
+router.use((req, _res, next) => {
+  const raw = req.headers.cookie || '';
+  req.cookies = Object.fromEntries(
+    raw.split(';').map(c => c.trim().split('=').map(decodeURIComponent))
+      .filter(([k]) => k).map(([k, ...v]) => [k, v.join('=')])
+  );
+  next();
+});
+
+router.use(express.urlencoded({ extended: false }));
+router.use(express.json());
+
+// ── login ────────────────────────────────────────────────────────────────────
+router.post('/login', (req, res) => {
+  const { username, password } = req.body;
+  if (username === ADMIN_USER && password === ADMIN_PASS) {
+    const token = crypto.randomBytes(32).toString('hex');
+    validTokens.add(token);
+    setTimeout(() => validTokens.delete(token), COOKIE_MAX_AGE);
+    res.setHeader('Set-Cookie', `${COOKIE_NAME}=${encodeURIComponent(token)}; HttpOnly; Path=/; Max-Age=${COOKIE_MAX_AGE / 1000}; SameSite=Lax`);
+    return res.json({ ok: true });
+  }
+  res.status(401).json({ error: 'Invalid credentials' });
+});
+
+// ── logout ───────────────────────────────────────────────────────────────────
+router.post('/logout', (req, res) => {
+  const tok = req.cookies?.[COOKIE_NAME];
+  if (tok) validTokens.delete(tok);
+  res.setHeader('Set-Cookie', `${COOKIE_NAME}=; HttpOnly; Path=/; Max-Age=0; SameSite=Lax`);
+  res.json({ ok: true });
+});
+
+// ── check-auth ───────────────────────────────────────────────────────────────
+router.get('/api/check-auth', (req, res) => {
+  const tok = req.cookies?.[COOKIE_NAME];
+  if (tok && validTokens.has(tok)) return res.json({ ok: true });
+  res.status(401).json({ ok: false });
+});
+
+// ── shops API (protected) ────────────────────────────────────────────────────
+router.get('/api/shops', requireAuth, (_req, res) => {
+  res.json({ shops: listShops() });
+});
+
+router.post('/api/shops', requireAuth, (req, res) => {
+  const { shop, expiresAt, note } = req.body;
+  if (!shop) return res.status(400).json({ error: 'shop is required' });
+  const entry = addShop(shop.trim(), expiresAt || null, note || '');
+  res.json({ ok: true, shop: shop.trim(), entry });
+});
+
+router.delete('/api/shops/:shop', requireAuth, (req, res) => {
+  removeShop(decodeURIComponent(req.params.shop));
+  res.json({ ok: true });
+});
+
+// ── serve admin HTML (always — login gate is client-side) ────────────────────
+router.get('/', (_req, res) => {
+  res.setHeader('Content-Type', 'text/html; charset=utf-8');
+  res.send(adminHtml());
+});
+
+// ── HTML ─────────────────────────────────────────────────────────────────────
+function adminHtml() {
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8"/>
+<meta name="viewport" content="width=device-width,initial-scale=1"/>
+<title>Data4Autos Admin</title>
+<style>
+  *{box-sizing:border-box;margin:0;padding:0}
+  body{font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;background:#0f172a;min-height:100vh;color:#f1f5f9}
+
+  /* ── login screen ── */
+  #login-screen{display:flex;align-items:center;justify-content:center;min-height:100vh}
+  .login-card{background:#1e293b;border:1px solid #334155;border-radius:16px;padding:44px 40px;width:100%;max-width:400px;box-shadow:0 24px 48px rgba(0,0,0,0.5)}
+  .login-logo{text-align:center;margin-bottom:28px}
+  .login-logo .badge{display:inline-block;background:linear-gradient(135deg,#1e3a5f,#2563eb);border-radius:12px;padding:12px 20px;font-size:22px;font-weight:900;color:#fff;letter-spacing:-0.5px}
+  .login-logo p{margin-top:10px;font-size:13px;color:#64748b}
+  .login-card h2{font-size:18px;font-weight:800;color:#f1f5f9;margin-bottom:24px;text-align:center}
+  .field{margin-bottom:16px}
+  .field label{display:block;font-size:12px;font-weight:700;color:#94a3b8;text-transform:uppercase;letter-spacing:0.06em;margin-bottom:6px}
+  .field input{width:100%;background:#0f172a;border:1px solid #334155;border-radius:8px;padding:11px 14px;color:#f1f5f9;font-size:14px;outline:none;transition:border-color 0.15s}
+  .field input:focus{border-color:#2563eb}
+  .btn-primary{width:100%;background:linear-gradient(135deg,#1d4ed8,#2563eb);border:none;border-radius:8px;color:#fff;padding:12px;font-size:15px;font-weight:700;cursor:pointer;margin-top:8px;transition:opacity 0.15s}
+  .btn-primary:hover{opacity:0.9}
+  .btn-primary:disabled{opacity:0.5;cursor:not-allowed}
+  .err-msg{background:#fff1f2;border:1px solid #fecdd3;border-radius:8px;padding:10px 14px;font-size:13px;color:#dc2626;margin-top:12px;display:none}
+
+  /* ── dashboard ── */
+  #dashboard{display:none}
+  .topbar{background:linear-gradient(135deg,#1e3a5f 0%,#2563eb 100%);padding:16px 32px;display:flex;align-items:center;justify-content:space-between;position:sticky;top:0;z-index:100}
+  .topbar-title{font-size:18px;font-weight:900;color:#fff}
+  .topbar-sub{font-size:13px;color:rgba(255,255,255,0.65);margin-top:2px}
+  .logout-btn{background:rgba(255,255,255,0.12);border:1px solid rgba(255,255,255,0.25);border-radius:8px;color:#fff;padding:7px 16px;font-size:13px;font-weight:600;cursor:pointer}
+  .logout-btn:hover{background:rgba(255,255,255,0.2)}
+  .content{max-width:960px;margin:0 auto;padding:32px 24px}
+
+  /* add form card */
+  .add-card{background:#1e293b;border:1px solid #334155;border-radius:14px;padding:24px 28px;margin-bottom:28px}
+  .add-card h3{font-size:15px;font-weight:800;color:#f1f5f9;margin-bottom:18px}
+  .form-row{display:grid;grid-template-columns:1fr 1fr 1fr auto;gap:12px;align-items:end;flex-wrap:wrap}
+  @media(max-width:700px){.form-row{grid-template-columns:1fr}}
+  .form-row .field{margin-bottom:0}
+  .btn-add{background:linear-gradient(135deg,#15803d,#16a34a);border:none;border-radius:8px;color:#fff;padding:11px 20px;font-size:14px;font-weight:700;cursor:pointer;white-space:nowrap}
+  .btn-add:hover{opacity:0.9}
+  .success-msg{background:#f0fdf4;border:1px solid #bbf7d0;border-radius:8px;padding:10px 14px;font-size:13px;color:#15803d;margin-top:12px;display:none}
+
+  /* shops table */
+  .shops-card{background:#1e293b;border:1px solid #334155;border-radius:14px;overflow:hidden}
+  .shops-card-header{padding:18px 24px;border-bottom:1px solid #334155;display:flex;align-items:center;justify-content:space-between}
+  .shops-card-header h3{font-size:15px;font-weight:800;color:#f1f5f9}
+  .count-badge{background:#1e3a5f;border:1px solid #2563eb;border-radius:20px;padding:3px 12px;font-size:12px;font-weight:700;color:#60a5fa}
+  table{width:100%;border-collapse:collapse}
+  th{background:#0f172a;padding:11px 16px;font-size:11px;font-weight:700;color:#64748b;text-transform:uppercase;letter-spacing:0.06em;text-align:left}
+  td{padding:13px 16px;font-size:13px;border-top:1px solid #334155;vertical-align:middle}
+  tr:hover td{background:rgba(255,255,255,0.02)}
+  .shop-name{font-weight:700;color:#f1f5f9;font-size:14px}
+  .note-text{color:#64748b;font-style:italic}
+  .tag{display:inline-block;border-radius:20px;padding:3px 10px;font-size:11px;font-weight:700}
+  .tag-ok{background:#f0fdf4;color:#15803d;border:1px solid #bbf7d0}
+  .tag-exp{background:#fff1f2;color:#dc2626;border:1px solid #fecdd3}
+  .tag-perm{background:#eff6ff;color:#2563eb;border:1px solid #bfdbfe}
+  .date-text{color:#94a3b8;font-size:12px}
+  .btn-del{background:#fff1f2;border:1px solid #fecdd3;border-radius:6px;color:#dc2626;padding:5px 12px;font-size:12px;font-weight:700;cursor:pointer}
+  .btn-del:hover{background:#fecdd3}
+  .empty-state{padding:48px;text-align:center;color:#475569}
+  .empty-state .icon{font-size:36px;margin-bottom:12px}
+  .spinner{display:inline-block;width:20px;height:20px;border:2px solid rgba(255,255,255,0.2);border-top-color:#fff;border-radius:50%;animation:spin 0.7s linear infinite}
+  @keyframes spin{to{transform:rotate(360deg)}}
+</style>
+</head>
+<body>
+
+<!-- ── LOGIN ── -->
+<div id="login-screen">
+  <div class="login-card">
+    <div class="login-logo">
+      <div class="badge">D4A Admin</div>
+      <p>Data4Autos Free Access Manager</p>
+    </div>
+    <h2>Sign In</h2>
+    <div class="field"><label>Username</label><input type="text" id="inp-user" placeholder="d4a-admin" autocomplete="username"/></div>
+    <div class="field"><label>Password</label><input type="password" id="inp-pass" placeholder="••••••••••••" autocomplete="current-password"/></div>
+    <button class="btn-primary" id="login-btn" onclick="doLogin()">Sign In</button>
+    <div class="err-msg" id="login-err"></div>
+  </div>
+</div>
+
+<!-- ── DASHBOARD ── -->
+<div id="dashboard">
+  <div class="topbar">
+    <div>
+      <div class="topbar-title">🛡️ Data4Autos — Free Access Manager</div>
+      <div class="topbar-sub">Manage shops with free / bypassed subscription access</div>
+    </div>
+    <button class="logout-btn" onclick="doLogout()">Sign Out</button>
+  </div>
+
+  <div class="content">
+
+    <!-- Add shop form -->
+    <div class="add-card">
+      <h3>➕ Grant Free Access to a Shop</h3>
+      <div class="form-row">
+        <div class="field">
+          <label>Shop Domain</label>
+          <input type="text" id="inp-shop" placeholder="yourstore.myshopify.com"/>
+        </div>
+        <div class="field">
+          <label>Expiry Date <span style="color:#475569;font-weight:400">(leave blank = permanent)</span></label>
+          <input type="date" id="inp-expires"/>
+        </div>
+        <div class="field">
+          <label>Note <span style="color:#475569;font-weight:400">(optional)</span></label>
+          <input type="text" id="inp-note" placeholder="e.g. Partner shop"/>
+        </div>
+        <button class="btn-add" onclick="doAddShop()">Add Shop</button>
+      </div>
+      <div class="success-msg" id="add-success">✅ Shop added successfully!</div>
+      <div class="err-msg" id="add-err"></div>
+    </div>
+
+    <!-- Shops table -->
+    <div class="shops-card">
+      <div class="shops-card-header">
+        <h3>🏪 Whitelisted Shops</h3>
+        <span class="count-badge" id="shops-count">0 shops</span>
+      </div>
+      <div id="shops-table-wrap">
+        <div class="empty-state"><div class="spinner"></div></div>
+      </div>
+    </div>
+
+  </div>
+</div>
+
+<script>
+const BASE = '/d4a-admin';
+
+async function api(method, path, body) {
+  const opts = { method, headers: { 'Content-Type': 'application/json' }, credentials: 'include' };
+  if (body) opts.body = JSON.stringify(body);
+  const r = await fetch(BASE + path, opts);
+  return { ok: r.ok, status: r.status, data: await r.json().catch(() => ({})) };
+}
+
+// ── AUTH CHECK ──────────────────────────────────────────────────────────────
+async function checkAuth() {
+  const r = await api('GET', '/api/check-auth');
+  if (r.ok) showDashboard();
+}
+checkAuth();
+
+// ── LOGIN ───────────────────────────────────────────────────────────────────
+async function doLogin() {
+  const btn = document.getElementById('login-btn');
+  const err = document.getElementById('login-err');
+  const user = document.getElementById('inp-user').value.trim();
+  const pass = document.getElementById('inp-pass').value;
+  btn.disabled = true;
+  btn.innerHTML = '<span class="spinner"></span>';
+  err.style.display = 'none';
+
+  const r = await api('POST', '/login', { username: user, password: pass });
+  btn.disabled = false;
+  btn.textContent = 'Sign In';
+  if (r.ok) {
+    showDashboard();
+  } else {
+    err.textContent = r.data.error || 'Invalid credentials';
+    err.style.display = 'block';
+  }
+}
+document.addEventListener('keydown', e => { if (e.key === 'Enter') doLogin(); });
+
+// ── LOGOUT ──────────────────────────────────────────────────────────────────
+async function doLogout() {
+  await api('POST', '/logout');
+  document.getElementById('dashboard').style.display = 'none';
+  document.getElementById('login-screen').style.display = 'flex';
+  document.getElementById('inp-user').value = '';
+  document.getElementById('inp-pass').value = '';
+}
+
+// ── SHOW DASHBOARD ──────────────────────────────────────────────────────────
+function showDashboard() {
+  document.getElementById('login-screen').style.display = 'none';
+  document.getElementById('dashboard').style.display = 'block';
+  loadShops();
+}
+
+// ── LOAD SHOPS ──────────────────────────────────────────────────────────────
+async function loadShops() {
+  const wrap = document.getElementById('shops-table-wrap');
+  const r = await api('GET', '/api/shops');
+  if (!r.ok) { wrap.innerHTML = '<div class="empty-state"><div>Failed to load shops</div></div>'; return; }
+
+  const shops = r.data.shops || [];
+  document.getElementById('shops-count').textContent = shops.length + ' shop' + (shops.length !== 1 ? 's' : '');
+
+  if (shops.length === 0) {
+    wrap.innerHTML = '<div class="empty-state"><div class="icon">🏪</div><div>No shops added yet.<br>Use the form above to grant free access.</div></div>';
+    return;
+  }
+
+  const rows = shops.map(s => {
+    const statusTag = s.expired
+      ? '<span class="tag tag-exp">Expired</span>'
+      : s.permanent
+        ? '<span class="tag tag-perm">Permanent</span>'
+        : '<span class="tag tag-ok">Active</span>';
+
+    const expiryDisplay = s.expiresAt
+      ? '<span class="date-text">' + new Date(s.expiresAt).toLocaleDateString(undefined,{year:'numeric',month:'short',day:'numeric'}) + '</span>'
+      : '<span style="color:#475569;font-size:12px">Never</span>';
+
+    const grantedDisplay = s.grantedAt
+      ? '<span class="date-text">' + new Date(s.grantedAt).toLocaleDateString(undefined,{year:'numeric',month:'short',day:'numeric'}) + '</span>'
+      : '—';
+
+    return \`<tr>
+      <td><div class="shop-name">\${escHtml(s.shop)}</div></td>
+      <td>\${statusTag}</td>
+      <td>\${grantedDisplay}</td>
+      <td>\${expiryDisplay}</td>
+      <td><span class="note-text">\${escHtml(s.note || '—')}</span></td>
+      <td><button class="btn-del" onclick="doRemoveShop('\${escHtml(s.shop)}')">Remove</button></td>
+    </tr>\`;
+  }).join('');
+
+  wrap.innerHTML = \`<table>
+    <thead><tr>
+      <th>Shop Domain</th><th>Status</th><th>Granted</th><th>Expires</th><th>Note</th><th></th>
+    </tr></thead>
+    <tbody>\${rows}</tbody>
+  </table>\`;
+}
+
+// ── ADD SHOP ─────────────────────────────────────────────────────────────────
+async function doAddShop() {
+  const shop     = document.getElementById('inp-shop').value.trim();
+  const expires  = document.getElementById('inp-expires').value || null;
+  const note     = document.getElementById('inp-note').value.trim();
+  const ok       = document.getElementById('add-success');
+  const err      = document.getElementById('add-err');
+  ok.style.display = 'none';
+  err.style.display = 'none';
+
+  if (!shop) { err.textContent = 'Shop domain is required.'; err.style.display = 'block'; return; }
+
+  const expiresAt = expires ? new Date(expires + 'T23:59:59.000Z').toISOString() : null;
+  const r = await api('POST', '/api/shops', { shop, expiresAt, note });
+  if (r.ok) {
+    ok.style.display = 'block';
+    document.getElementById('inp-shop').value = '';
+    document.getElementById('inp-expires').value = '';
+    document.getElementById('inp-note').value = '';
+    loadShops();
+  } else {
+    err.textContent = r.data.error || 'Failed to add shop';
+    err.style.display = 'block';
+  }
+}
+
+// ── REMOVE SHOP ───────────────────────────────────────────────────────────────
+async function doRemoveShop(shop) {
+  if (!confirm('Remove free access for ' + shop + '?')) return;
+  const r = await api('DELETE', '/api/shops/' + encodeURIComponent(shop));
+  if (r.ok) loadShops();
+  else alert('Failed to remove shop');
+}
+
+// ── UTIL ──────────────────────────────────────────────────────────────────────
+function escHtml(s) {
+  return String(s).replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/"/g,'&quot;');
+}
+</script>
+</body>
+</html>`;
+}
+
+module.exports = router;
diff --git a/server.js b/server.js
index 12b16f0..c6eeb75 100755
--- a/server.js
+++ b/server.js
@@ -8,10 +8,12 @@ const auth = require('./auth');
 const manageBrands = require('./routes/manageBrands');
 const manageProducts = require('./routes/manageProducts');
 const managepricing = require('./routes/managePricing');
+const adminPanel = require('./routes/adminPanel');
 
 const privacyLawWebhooks = require('./routes/privacyLawWebhooks');
 const { getToken, listTokens } = require('./tokenStore');
 const { listJobs, getJob, cancelJob, getLatestJobForShop } = require('./jobStore');
+const { isShopAllowed } = require('./freeAccessStore');
 
 const app = express();
 const PORT = process.env.PORT || 3002;
@@ -19,6 +21,16 @@ const PORT = process.env.PORT || 3002;
 // 0) CORS (safe before everything)
 app.use(cors());
 
+// Admin panel (mounted before JSON body parser — it handles its own parsing)
+app.use('/d4a-admin', adminPanel);
+
+// Public free-access check used by the Shopify frontend loaders
+app.get('/free-access/:shop', (req, res) => {
+  const shop = decodeURIComponent(req.params.shop || '').toLowerCase().trim();
+  const allowed = isShopAllowed(shop);
+  res.json({ shop, allowed });
+});
+
 // Health check
 app.get('/health', (req, res) => {
   res.json({ ok: true, uptime: process.uptime(), timestamp: new Date().toISOString() });