diff --git a/docker-compose.yml b/docker-compose.yml
index f45c720b6..e2c6c17d2 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -177,6 +177,24 @@ services:
     ports:
       - 8003:8080
 
+  default-users:
+    image: curlimages/curl:8.6.0
+    restart: unless-stopped
+    depends_on:
+      - mediawiki
+    networks:
+      default:
+        aliases:
+          - default-users.svc
+    environment:
+      - MW_API_URL=http://mediawiki.svc/w/api.php
+      - MW_DEFAULT_DOMAINS=site1.localhost site2.localhost
+      - MW_DEFAULT_ADMIN_USERNAME=Admin
+      - MW_DEFAULT_ADMIN_PASSWORD=ChangeMe123!
+    volumes:
+      - ./docker-compose/scripts:/scripts:ro
+    command: "/bin/sh /scripts/create-default-users.sh"
+
 volumes:
   mediawiki-mysql-data:
   mysql-replica-data:
diff --git a/docker-compose/scripts/create-default-users.sh b/docker-compose/scripts/create-default-users.sh
new file mode 100644
index 000000000..7027b03ee
--- /dev/null
+++ b/docker-compose/scripts/create-default-users.sh
@@ -0,0 +1,55 @@
+#!/bin/sh
+set -eu
+
+API_URL="${MW_API_URL}"
+DOMAINS="${MW_DEFAULT_DOMAINS}"
+USERNAME="${MW_DEFAULT_ADMIN_USERNAME}"
+PASSWORD="${MW_DEFAULT_ADMIN_PASSWORD}"
+
+# prefix all log messages with [default-users]
+log() {
+    echo "[default-users] $1"
+}
+
+# Wait for site1.localhost and site2.localhost to be available
+wait_for_domain() {
+    domain="$1"
+    attempt=0
+    while true; do
+        if curl -fsS -H "Host: $domain" \
+            "$API_URL?action=query&meta=siteinfo&format=json" >/dev/null 2>&1; then
+            return 0
+        fi
+        sleep 2
+    done
+}
+
+# Provision default users (admin and PlatformReservedUser) for a given domain using wbstackInit API
+provision_default_users() {
+    domain="$1"
+    wait_for_domain "$domain"
+
+    if response=$(curl -fsS -H "Host: $domain" \
+        --data-urlencode "username=$USERNAME" \
+        --data-urlencode "password=$PASSWORD" \
+        "$API_URL?action=wbstackInit&format=json"); then
+        if echo "$response" | grep -q '"success":"1"'; then
+            log "Provisioned default users for $domain"
+            return 0
+        fi
+        if echo "$response" | grep -qi 'User already existed'; then
+            log "Default users already exists for $domain"
+            return 0
+        fi
+        log "Unexpected response for $domain: $response"
+        return 1
+    fi
+
+    log "Failed to created default users for $domain"
+    return 1
+}
+
+# Provision default users for each domain
+for domain in $DOMAINS; do
+    provision_default_users "$domain"
+done
diff --git a/docs/dev-environment.md b/docs/dev-environment.md
index c866c1732..05e273205 100644
--- a/docs/dev-environment.md
+++ b/docs/dev-environment.md
@@ -38,6 +38,16 @@ Removing the installation:
 ```sh
 docker compose down --volumes
 ```
+### Default admin account (local docker compose)
+
+When running `docker compose up`, a one-shot service seeds a default users (admin and PlatformReservedUser) by calling the internal `wbstackInit` API.
+
+Default credentials (configurable via environment variables on the `default-users` service):
+
+- Username: `Admin`
+- Password: `ChangeMe123!`
+
+You can customize these by editing the `default-users` service environment in the root [docker-compose file](../docker-compose.yml).
 
 ### Debugging Elastic