diff --git a/backend/server4.js b/backend/server4.js
index 0b96243..6794e98 100644
--- a/backend/server4.js
+++ b/backend/server4.js
@@ -43,6 +43,15 @@ if (!CORS_ALLOWED_ORIGINS) {
   process.exit(1);
 }
 
+// Username lookup helper (HMAC-SHA256 hash for encrypted username querying)
+function usernameLookup(username) {
+  const USERNAME_INDEX_KEY = process.env.USERNAME_INDEX_SECRET || JWT_SECRET;
+  return crypto
+    .createHmac('sha256', USERNAME_INDEX_KEY)
+    .update(String(username).trim().toLowerCase())
+    .digest('hex');
+}
+
 // SendGrid configuration (match server2.js exactly)
 const SENDGRID_KEY = (process.env.SUPPORT_SENDGRID_API_KEY || '')
   .trim()
@@ -817,12 +826,15 @@ app.post('/api/admin/auth/login', adminLoginLimiter, async (req, res) => {
   }
 
   try {
+    // Use username_lookup hash for querying (username is encrypted)
+    const usernameLookupVal = usernameLookup(username);
+
     const [authResults] = await pool.execute(`
       SELECT ua.user_id, ua.hashed_password
       FROM user_auth ua
-      WHERE ua.username = ?
+      WHERE ua.username_lookup = ?
       LIMIT 1
-    `, [username]);
+    `, [usernameLookupVal]);
 
     if (!authResults || authResults.length === 0) {
       return res.status(401).json({ error: 'Invalid credentials' });