diff --git a/app/api/admin/tenants/route.ts b/app/api/admin/tenants/route.ts
new file mode 100644
index 0000000..478e2f5
--- /dev/null
+++ b/app/api/admin/tenants/route.ts
@@ -0,0 +1,23 @@
+import { db } from "@/lib/db";
+import { users } from "@/lib/db/schema/auth";
+import { NextResponse } from "next/server";
+import { isNotNull } from "drizzle-orm";
+
+export async function GET(req: Request) {
+  const authHeader = req.headers.get("x-api-secret");
+  // Wir nutzen dasselbe Secret wie für die Ingestion API
+  if (authHeader !== process.env.POLICY_API_SECRET) {
+    return new NextResponse("Unauthorized", { status: 401 });
+  }
+
+  // Hole alle einzigartigen Tenant-IDs aus der User-Tabelle
+  const tenants = await db
+    .selectDistinct({ tenantId: users.tenantId })
+    .from(users)
+    .where(isNotNull(users.tenantId));
+
+  // Wir filtern 'common' raus, falls es drin ist
+  const cleanList = tenants.filter(t => t.tenantId !== 'common');
+
+  return NextResponse.json(cleanList);
+}
diff --git a/lib/db/schema/auth.ts b/lib/db/schema/auth.ts
index f041d0a..76b2ea9 100644
--- a/lib/db/schema/auth.ts
+++ b/lib/db/schema/auth.ts
@@ -13,6 +13,7 @@ export const users = pgTable("user", {
   email: text("email").notNull(),
   emailVerified: timestamp("emailVerified", { mode: "date" }),
   image: text("image"),
+  tenantId: text("tenant_id"),
 });
 
 export const accounts = pgTable(