diff --git a/app/api/routers/milestones.py b/app/api/routers/milestones.py
new file mode 100644
index 0000000..fd48653
--- /dev/null
+++ b/app/api/routers/milestones.py
@@ -0,0 +1,67 @@
+"""Milestones API router."""
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+from typing import List
+
+from app.core.config import get_db
+from app.api.deps import get_current_user_or_apikey
+from app.api.rbac import check_project_role
+from app.models import models
+from app.schemas import schemas
+
+router = APIRouter(prefix="/projects/{project_id}/milestones", tags=["Milestones"])
+
+
+@router.get("", response_model=List[schemas.MilestoneResponse])
+def list_milestones(project_id: int, db: Session = Depends(get_db), current_user: models.User = Depends(get_current_user_or_apikey)):
+    """List all milestones for a project."""
+    check_project_role(db, current_user.id, project_id, min_role="viewer")
+    milestones = db.query(models.Milestone).filter(models.Milestone.project_id == project_id).all()
+    return milestones
+
+
+@router.post("", response_model=schemas.MilestoneResponse, status_code=status.HTTP_201_CREATED)
+def create_milestone(project_id: int, milestone: schemas.MilestoneCreate, db: Session = Depends(get_db), current_user: models.User = Depends(get_current_user_or_apikey)):
+    """Create a new milestone for a project."""
+    check_project_role(db, current_user.id, project_id, min_role="mgr")
+    db_milestone = models.Milestone(project_id=project_id, **milestone.model_dump())
+    db.add(db_milestone)
+    db.commit()
+    db.refresh(db_milestone)
+    return db_milestone
+
+
+@router.get("/{milestone_id}", response_model=schemas.MilestoneResponse)
+def get_milestone(project_id: int, milestone_id: int, db: Session = Depends(get_db), current_user: models.User = Depends(get_current_user_or_apikey)):
+    """Get a milestone by ID."""
+    check_project_role(db, current_user.id, project_id, min_role="viewer")
+    milestone = db.query(models.Milestone).filter(models.Milestone.id == milestone_id, models.Milestone.project_id == project_id).first()
+    if not milestone:
+        raise HTTPException(status_code=404, detail="Milestone not found")
+    return milestone
+
+
+@router.patch("/{milestone_id}", response_model=schemas.MilestoneResponse)
+def update_milestone(project_id: int, milestone_id: int, milestone: schemas.MilestoneUpdate, db: Session = Depends(get_db), current_user: models.User = Depends(get_current_user_or_apikey)):
+    """Update a milestone."""
+    check_project_role(db, current_user.id, project_id, min_role="mgr")
+    db_milestone = db.query(models.Milestone).filter(models.Milestone.id == milestone_id, models.Milestone.project_id == project_id).first()
+    if not db_milestone:
+        raise HTTPException(status_code=404, detail="Milestone not found")
+    for key, value in milestone.model_dump(exclude_unset=True).items():
+        setattr(db_milestone, key, value)
+    db.commit()
+    db.refresh(db_milestone)
+    return db_milestone
+
+
+@router.delete("/{milestone_id}", status_code=status.HTTP_204_NO_CONTENT)
+def delete_milestone(project_id: int, milestone_id: int, db: Session = Depends(get_db), current_user: models.User = Depends(get_current_user_or_apikey)):
+    """Delete a milestone."""
+    check_project_role(db, current_user.id, project_id, min_role="admin")
+    db_milestone = db.query(models.Milestone).filter(models.Milestone.id == milestone_id, models.Milestone.project_id == project_id).first()
+    if not db_milestone:
+        raise HTTPException(status_code=404, detail="Milestone not found")
+    db.delete(db_milestone)
+    db.commit()
+    return None
diff --git a/app/api/routers/projects.py b/app/api/routers/projects.py
index d44d594..5585c21 100644
--- a/app/api/routers/projects.py
+++ b/app/api/routers/projects.py
@@ -138,7 +138,10 @@ def _generate_project_code(db, name: str) -> str:
     raise HTTPException(status_code=400, detail='Project code collision')
 
 @router.post("", response_model=schemas.ProjectResponse, status_code=status.HTTP_201_CREATED)
-def create_project(project: schemas.ProjectCreate, db: Session = Depends(get_db)):
+def create_project(project: schemas.ProjectCreate, db: Session = Depends(get_db), current_user: models.User = Depends(get_current_user_or_apikey)):
+    # Check if user is admin
+    if not current_user.is_admin:
+        raise HTTPException(status_code=403, detail="Only admins can create projects")
     # Auto-fill owner_name from owner_id
     user = db.query(models.User).filter(models.User.id == project.owner_id).first()
     if not user:
diff --git a/app/main.py b/app/main.py
index b588204..3fa5488 100644
--- a/app/main.py
+++ b/app/main.py
@@ -35,6 +35,7 @@ from app.api.routers.comments import router as comments_router
 from app.api.routers.webhooks import router as webhooks_router
 from app.api.routers.misc import router as misc_router
 from app.api.routers.monitor import router as monitor_router
+from app.api.routers.milestones import router as milestones_router
 
 app.include_router(auth_router)
 app.include_router(issues_router)
@@ -44,6 +45,7 @@ app.include_router(comments_router)
 app.include_router(webhooks_router)
 app.include_router(misc_router)
 app.include_router(monitor_router)
+app.include_router(milestones_router)
 
 
 # Auto schema migration for lightweight deployments