diff --git a/backend/app/Controllers/UserController.php b/backend/app/Controllers/UserController.php
new file mode 100644
index 0000000..7f5370c
--- /dev/null
+++ b/backend/app/Controllers/UserController.php
@@ -0,0 +1,88 @@
+<?php
+
+namespace App\Controllers;
+
+use App\Exceptions\BadRequestException;
+use App\Exceptions\ForbiddenException;
+use App\User\UseCases\PromoteUserToAdmin\PromoteUserToAdmin;
+use App\User\UseCases\PromoteUserToAdmin\PromoteUserToAdminRequest;
+use App\User\UseCases\SearchUsers\SearchUsers;
+use App\User\UseCases\SearchUsers\SearchUsersRequest;
+use App\User\User;
+use DomainException;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+
+class UserController
+{
+    public function __construct(
+        private SearchUsers $searchUsers,
+        private PromoteUserToAdmin $promoteUserToAdmin,
+    ) {}
+
+    public function search(Request $request): JsonResponse
+    {
+        $query = $request->query('q');
+        if (! is_string($query) || trim($query) === '') {
+            return new JsonResponse(['users' => []], 200);
+        }
+        try {
+            $results = $this->searchUsers->execute(
+                new SearchUsersRequest(query: $query),
+            );
+        } catch (BadRequestException $exception) {
+            return new JsonResponse(
+                ['error' => $exception->getMessage()], 400,
+            );
+        }
+
+        return new JsonResponse([
+            'users' => array_map(
+                function (User $user) {
+                    return [
+                        'id' => $user->getId(),
+                        'email' => $user->getEmail()->value(),
+                        'displayName' => $user->getDisplayName(),
+                        'isAdmin' => $user->isAdmin(),
+                    ];
+                },
+                $results,
+            ),
+        ], 200);
+    }
+
+    public function promote(Request $request): JsonResponse
+    {
+        /** @var User $requester */
+        $requester = $request->attributes->get('user');
+        try {
+            $promoted = $this->promoteUserToAdmin->execute(
+                new PromoteUserToAdminRequest(
+                    targetUserId: (int) $request->input('userId'),
+                    requesterIsAdmin: $requester->isAdmin(),
+                ),
+            );
+        } catch (BadRequestException $exception) {
+            return new JsonResponse(
+                ['error' => $exception->getMessage()], 400,
+            );
+        } catch (ForbiddenException $exception) {
+            return new JsonResponse(
+                ['error' => $exception->getMessage()], 403,
+            );
+        } catch (DomainException $exception) {
+            return new JsonResponse(
+                ['error' => $exception->getMessage()], 404,
+            );
+        }
+
+        return new JsonResponse([
+            'user' => [
+                'id' => $promoted->getId(),
+                'email' => $promoted->getEmail()->value(),
+                'displayName' => $promoted->getDisplayName(),
+                'isAdmin' => $promoted->isAdmin(),
+            ],
+        ], 200);
+    }
+}
diff --git a/backend/routes/api.php b/backend/routes/api.php
index 03408cc..d087223 100644
--- a/backend/routes/api.php
+++ b/backend/routes/api.php
@@ -3,6 +3,7 @@
 use App\Controllers\AuthController;
 use App\Controllers\CommentController;
 use App\Controllers\PostController;
+use App\Controllers\UserController;
 use App\Http\Middleware\AuthMiddleware;
 use Illuminate\Support\Facades\Route;
 
@@ -32,6 +33,10 @@ Route::post('/admin/posts/feature', [PostController::class, 'feature'])
 Route::post('/admin/posts/unfeature', [PostController::class, 'unfeature'])
     ->middleware(AuthMiddleware::class);
 
+Route::get('/users', [UserController::class, 'search']);
+Route::post('/admin/users/promote', [UserController::class, 'promote'])
+    ->middleware(AuthMiddleware::class);
+
 Route::get(
     '/users/{displayName}/posts',
     [PostController::class, 'listByUser'],