diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index f2daffd..ee26737 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -18,7 +18,12 @@ export const { auth, handlers, signIn, signOut } = NextAuth({
     async jwt({ token, user }) {
       if (user) {
         token.id = user.id!;
-        token.role = user.role ?? "USER";
+        // Fetch the role from the database to pick up first-user ADMIN promotion
+        const dbUser = await prisma.user.findUnique({
+          where: { id: user.id! },
+          select: { role: true },
+        });
+        token.role = dbUser?.role ?? user.role ?? "USER";
       }
       return token;
     },
@@ -33,6 +38,18 @@ export const { auth, handlers, signIn, signOut } = NextAuth({
   events: {
     async createUser({ user }) {
       if (user.id) {
+        // First user to register becomes ADMIN (self-hosted owner)
+        const adminExists = await prisma.user.findFirst({
+          where: { role: "ADMIN" },
+          select: { id: true },
+        });
+        if (!adminExists) {
+          await prisma.user.update({
+            where: { id: user.id },
+            data: { role: "ADMIN" },
+          });
+        }
+
         await prisma.userSettings.upsert({
           where: { userId: user.id },
           update: {},