diff --git a/wawi/app.py b/wawi/app.py
index 0ecbb2f..40184c1 100755
--- a/wawi/app.py
+++ b/wawi/app.py
@@ -701,6 +701,20 @@ def config():
     })
 
 
+@bp.route("/api/orders", methods=["GET"])
+@api_key_required
+def api_orders():
+    """JSON-API für alle Bestellungen (authentifiziert).
+
+    Query-Parameter:
+    - status: "open" (nur offene), "completed" (nur abgeschlossene), "canceled" (nur stornierte)
+    - payment_status: "paid" (nur bezahlt), "unpaid" (nur unbezahlt)
+    """
+    status = request.args.get("status", "").strip().lower()
+    payment_status = request.args.get("payment_status", "").strip().lower()
+    return jsonify(build_orders(status=status, payment_status=payment_status))
+
+
 def build_bestand() -> list[dict]:
     """Aggregiert DB‑Zeilen in die Struktur der Live‑Bestand Ansicht."""
     rows = get_db().execute(
@@ -759,6 +773,91 @@ def build_bestand() -> list[dict]:
     return result
 
 
+def build_orders(status: str = "", payment_status: str = "") -> list[dict]:
+    """Gibt alle Bestellungen als JSON-kompatible Liste zurück.
+
+    Args:
+        status: Filter nach Status ("open", "completed", "canceled")
+        payment_status: Filter nach Zahlungsstatus ("paid", "unpaid")
+    """
+    where_clauses = []
+    params = []
+
+    # Status-Filter
+    if status == "open":
+        where_clauses.append("done = 0 AND canceled = 0")
+    elif status == "completed":
+        where_clauses.append("done = 1 AND canceled = 0")
+    elif status == "canceled":
+        where_clauses.append("canceled = 1")
+
+    # Zahlungsstatus-Filter
+    if payment_status == "paid":
+        where_clauses.append("payment_status = 'paid'")
+    elif payment_status == "unpaid":
+        where_clauses.append("payment_status = 'unpaid'")
+
+    where_sql = ""
+    if where_clauses:
+        where_sql = "WHERE " + " AND ".join(where_clauses)
+
+    sql = f"""
+        SELECT
+            id,
+            name,
+            handy,
+            email,
+            mannschaft,
+            artikel,
+            groesse,
+            menge,
+            notiz,
+            created_at,
+            done,
+            completed_by,
+            completed_at,
+            canceled,
+            canceled_by,
+            canceled_at,
+            payment_method,
+            payment_status,
+            paid_at,
+            paid_by
+        FROM orders
+        {where_sql}
+        ORDER BY id DESC
+    """
+
+    rows = get_db().execute(sql, params).fetchall()
+
+    result = []
+    for r in rows:
+        result.append({
+            "id": r["id"],
+            "name": r["name"],
+            "handy": r["handy"],
+            "email": r["email"],
+            "mannschaft": r["mannschaft"],
+            "artikel": r["artikel"],
+            "groesse": r["groesse"],
+            "menge": r["menge"],
+            "notiz": r["notiz"],
+            "created_at": r["created_at"],
+            "done": bool(r["done"]),
+            "completed_by": r["completed_by"],
+            "completed_at": r["completed_at"],
+            "canceled": bool(r["canceled"]),
+            "canceled_by": r["canceled_by"],
+            "canceled_at": r["canceled_at"],
+            "payment_method": r["payment_method"],
+            "payment_status": r["payment_status"],
+            "paid_at": r["paid_at"],
+            "paid_by": r["paid_by"],
+        })
+
+    return result
+
+
 @bp.route("/order", methods=["POST"])
 @csrf.exempt  # JSON API ohne CSRF-Schutz (nutzt API-Key stattdessen)
 def order():