diff --git a/controller/controller.go b/controller/controller.go
index 2290ed40..0ebc134f 100644
--- a/controller/controller.go
+++ b/controller/controller.go
@@ -52,6 +52,7 @@ func Run(inCfg *config.Config) error {
 	api.AccountResetPasswordHandler = newResetPasswordHandler(cfg)
 	api.AccountResetPasswordRequestHandler = newResetPasswordRequestHandler()
 	api.AccountVerifyHandler = newVerifyHandler()
+	api.AdminCreateAccountHandler = newCreateAccountHandler()
 	api.AdminCreateFrontendHandler = newCreateFrontendHandler()
 	api.AdminCreateIdentityHandler = newCreateIdentityHandler()
 	api.AdminDeleteFrontendHandler = newDeleteFrontendHandler()
diff --git a/controller/createAccount.go b/controller/createAccount.go
new file mode 100644
index 00000000..0fc5ef6a
--- /dev/null
+++ b/controller/createAccount.go
@@ -0,0 +1,59 @@
+package controller
+
+import (
+	"github.com/go-openapi/runtime/middleware"
+	"github.com/openziti/zrok/controller/store"
+	"github.com/openziti/zrok/rest_model_zrok"
+	"github.com/openziti/zrok/rest_server_zrok/operations/admin"
+	"github.com/sirupsen/logrus"
+)
+
+type createAccountHandler struct{}
+
+func newCreateAccountHandler() *createAccountHandler {
+	return &createAccountHandler{}
+}
+
+func (h *createAccountHandler) Handle(params admin.CreateAccountParams, principal *rest_model_zrok.Principal) middleware.Responder {
+	if !principal.Admin {
+		logrus.Errorf("invalid admin principal")
+		return admin.NewCreateAccountUnauthorized()
+	}
+
+	token, err := CreateToken()
+	if err != nil {
+		logrus.Errorf("error creating token: %v", err)
+		return admin.NewCreateAccountInternalServerError()
+	}
+	hpwd, err := HashPassword(params.Body.Password)
+	if err != nil {
+		logrus.Errorf("error hashing password: %v", err)
+		return admin.NewCreateAccountInternalServerError()
+	}
+
+	trx, err := str.Begin()
+	if err != nil {
+		logrus.Errorf("error starting transaction: %v", err)
+		return admin.NewCreateAccountInternalServerError()
+	}
+	defer func() {
+		_ = trx.Rollback()
+	}()
+	a := &store.Account{
+		Email:    params.Body.Email,
+		Salt:     hpwd.Salt,
+		Password: hpwd.Password,
+		Token:    token,
+	}
+	if _, err := str.CreateAccount(a, trx); err != nil {
+		logrus.Errorf("error creating account: %v", err)
+		return admin.NewCreateAccountInternalServerError()
+	}
+	if err := trx.Commit(); err != nil {
+		logrus.Errorf("error committing transaction: %v", err)
+	}
+
+	logrus.Infof("administratively created account '%v'", params.Body.Email)
+
+	return admin.NewCreateAccountCreated().WithPayload(&admin.CreateAccountCreatedBody{Token: token})
+}