diff --git a/scripts/seed_superadmin.py b/scripts/seed_superadmin.py
new file mode 100644
index 0000000..105113c
--- /dev/null
+++ b/scripts/seed_superadmin.py
@@ -0,0 +1,89 @@
+"""Seed script for creating superadmin user.
+
+This script reads SUPERADMIN_EMAIL and SUPERADMIN_SECRET environment variables.
+If both are present:
+  - Creates a superadmin with the given email and hashed credential
+  - Idempotent: updates existing superadmin if email already exists
+If either is absent:
+  - No-op (logs that env vars are not set)
+
+Usage:
+    export SUPERADMIN_EMAIL="admin@example.com"
+    export SUPERADMIN_SECRET="[SetYourSecureSecretHere]"
+    python scripts/seed_superadmin.py
+"""
+import sys
+import os
+import logging
+from dotenv import load_dotenv
+
+# Load environment variables FIRST before any app imports
+load_dotenv()
+
+from gatehouse_app import create_app
+from gatehouse_app.extensions import db, bcrypt
+from gatehouse_app.models.superadmin import Superadmin
+
+
+# Configure logging
+logging.basicConfig(
+    level=logging.INFO,
+    format="%(asctime)s - %(levelname)s - %(message)s"
+)
+logger = logging.getLogger(__name__)
+
+
+def main():
+    """Main entry point."""
+    app = create_app()
+    
+    with app.app_context():
+        # Read environment variables
+        email = os.environ.get("SUPERADMIN_EMAIL")
+        credential = os.environ.get("SUPERADMIN_SECRET")
+        
+        # Check if env vars are set
+        if not email or not credential:
+            logger.info("SUPERADMIN_EMAIL and/or SUPERADMIN_SECRET not set. No-op.")
+            logger.info("To create a superadmin, set both environment variables:")
+            logger.info("  export SUPERADMIN_EMAIL='admin@example.com'")
+            logger.info("  export SUPERADMIN_SECRET='[SetYourSecureSecretHere]'")
+            return
+        
+        # Normalize email
+        email = email.lower().strip()
+        
+        logger.info(f"Processing superadmin: {email}")
+        
+        # Check if superadmin already exists
+        existing = Superadmin.query.filter_by(email=email).first()
+        
+        if existing:
+            # Update existing superadmin
+            logger.info("  → Existing superadmin found, updating credential")
+            existing.password_hash = bcrypt.generate_password_hash(credential).decode("utf-8")
+            existing.is_active = True
+            existing.full_name = existing.full_name or "Super Admin"
+            db.session.commit()
+            logger.info(f"  → Updated superadmin: {email} (id={existing.id})")
+            print(f"Updated existing superadmin: {email}")
+        else:
+            # Create new superadmin
+            logger.info("  → Creating new superadmin")
+            password_hash = bcrypt.generate_password_hash(credential).decode("utf-8")
+            superadmin = Superadmin(
+                email=email,
+                password_hash=password_hash,
+                full_name="Super Admin",
+                is_active=True,
+            )
+            db.session.add(superadmin)
+            db.session.commit()
+            logger.info(f"  → Created superadmin: {email} (id={superadmin.id})")
+            print(f"Created new superadmin: {email}")
+        
+        logger.info("Seed complete.")
+
+
+if __name__ == "__main__":
+    main()