diff --git a/build.sh b/build.sh
index 5a692b5..f109eda 100755
--- a/build.sh
+++ b/build.sh
@@ -3,7 +3,7 @@ go build -ldflags "-w" -o databunker ./src/bunker.go ./src/qldb.go ./src/xtokens
   ./src/utils.go ./src/cryptor.go ./src/notify.go \
   ./src/audit_db.go ./src/audit_api.go \
   ./src/sms.go ./src/email.go \
-  ./src/requests_db.go \
+  ./src/requests_db.go ./src/requests_api.go \
   ./src/users_db.go ./src/users_api.go \
   ./src/userapps_db.go ./src/userapps_api.go \
   ./src/sessions_db.go ./src/sessions_api.go \
diff --git a/src/bunker.go b/src/bunker.go
index 7f68602..7283f7a 100644
--- a/src/bunker.go
+++ b/src/bunker.go
@@ -172,6 +172,9 @@ func (e mainEnv) setupRouter() *httprouter.Router {
 	router.POST("/v1/sharedrecord/token/:token", e.newSharedRecord)
 	router.GET("/v1/get/:record", e.getRecord)
 
+	router.GET("/v1/request/:request", e.getUserRequest)
+	router.GET("/v1/requests", e.getUserRequests)
+
 	router.GET("/v1/consent/:mode/:address", e.consentAllUserRecords)
 	router.GET("/v1/consent/:mode/:address/:brief", e.consentUserRecord)
 	router.GET("/v1/consents/:brief", e.consentFilterRecords)
diff --git a/src/qldb.go b/src/qldb.go
index 5bb16b3..e82bb18 100644
--- a/src/qldb.go
+++ b/src/qldb.go
@@ -987,6 +987,10 @@ func initRequests(db *sql.DB) error {
 	if err != nil {
 		return err
 	}
+	_, err = tx.Exec(`CREATE INDEX requests_status ON requests (status);`)
+	if err != nil {
+		return err
+	}
 	if err = tx.Commit(); err != nil {
 		return err
 	}
diff --git a/src/requests_api.go b/src/requests_api.go
new file mode 100644
index 0000000..2981bb7
--- /dev/null
+++ b/src/requests_api.go
@@ -0,0 +1,101 @@
+package main
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/julienschmidt/httprouter"
+)
+
+func (e mainEnv) getUserRequests(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
+	if e.enforceAuth(w, r, nil) == "" {
+		return
+	}
+	var offset int32
+	var limit int32 = 10
+	status := "open"
+	args := r.URL.Query()
+	if value, ok := args["offset"]; ok {
+		offset = atoi(value[0])
+	}
+	if value, ok := args["limit"]; ok {
+		limit = atoi(value[0])
+	}
+	if value, ok := args["status"]; ok {
+		status = value[0]
+	}
+	resultJSON, counter, err := e.db.getRequests(status, offset, limit)
+	if err != nil {
+		returnError(w, r, "internal error", 405, err, nil)
+		return
+	}
+	fmt.Printf("Total count of user requests: %d\n", counter)
+	//fmt.Fprintf(w, "<html><head><title>title</title></head>")
+	w.Header().Set("Access-Control-Allow-Origin", "*")
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.WriteHeader(200)
+	str := fmt.Sprintf(`{"status":"ok","total":%d,"rows":%s}`, counter, resultJSON)
+	w.Write([]byte(str))
+}
+
+func (e mainEnv) getUserRequest(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
+	request := ps.ByName("request")
+	event := audit("get request by request token", request, "request", request)
+	defer func() { event.submit(e.db) }()
+
+	if enforceUUID(w, request, event) == false {
+		return
+	}
+	requestInfo, err := e.db.getRequest(request)
+	if err != nil {
+		fmt.Printf("%d access denied for: %s\n", http.StatusForbidden, request)
+		w.WriteHeader(http.StatusForbidden)
+		w.Write([]byte("Access denied"))
+		return
+	}
+	var resultJSON []byte
+	userTOKEN := ""
+	appName := ""
+	change := ""
+	if value, ok := requestInfo["token"]; ok {
+		userTOKEN = value.(string)
+	}
+	if value, ok := requestInfo["change"]; ok {
+		change = value.(string)
+	}
+	if value, ok := requestInfo["app"]; ok {
+		appName = value.(string)
+	}
+	if len(appName) > 0 {
+		resultJSON, err = e.db.getUserApp(userTOKEN, appName)
+	} else {
+		resultJSON, err = e.db.getUser(userTOKEN)
+	}
+	if err != nil {
+		returnError(w, r, "internal error", 405, err, event)
+		return
+	}
+	if resultJSON == nil {
+		returnError(w, r, "not found", 405, err, event)
+		return
+	}
+	fmt.Printf("Full json: %s\n", resultJSON)
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	w.WriteHeader(200)
+	var str string
+
+	if len(appName) > 0 {
+		str = fmt.Sprintf(`"status":"ok","app":"%s"`, appName)
+	} else {
+		str = fmt.Sprintf(`"status":"ok"`)
+	}
+	if len(resultJSON) > 0 {
+		str = fmt.Sprintf(`%s,"original":%s`, str, resultJSON)
+	}
+	if len(change) > 0 {
+		str = fmt.Sprintf(`%s,"change":%s`, str, change)
+	}
+	str = fmt.Sprintf(`{%s}`, str)
+	fmt.Printf("result: %s\n", str)
+	w.Write([]byte(str))
+}
diff --git a/src/requests_db.go b/src/requests_db.go
index ce14b3d..7a66560 100644
--- a/src/requests_db.go
+++ b/src/requests_db.go
@@ -1,6 +1,9 @@
 package main
 
 import (
+	"encoding/json"
+	"fmt"
+	"log"
 	"time"
 
 	uuid "github.com/hashicorp/go-uuid"
@@ -38,3 +41,55 @@ func (dbobj dbcon) saveUserRequest(action string, token string, app string, chan
 	_, err := dbobj.createRecord(TblName.Requests, &bdoc)
 	return rtoken, err
 }
+
+func (dbobj dbcon) getRequests(status string, offset int32, limit int32) ([]byte, int64, error) {
+	//var results []*auditEvent
+	count, err := dbobj.countRecords(TblName.Requests, "status", status)
+	if err != nil {
+		return nil, 0, err
+	}
+	var results []bson.M
+	records, err := dbobj.getList(TblName.Requests, "status", status, offset, limit)
+	if err != nil {
+		return nil, 0, err
+	}
+	for _, element := range records {
+		element["more"] = false
+		if _, ok := element["change"]; ok {
+			element["more"] = true
+			element["change"] = ""
+		}
+		results = append(results, element)
+	}
+
+	resultJSON, err := json.Marshal(records)
+	if err != nil {
+		return nil, 0, err
+	}
+	//fmt.Printf("Found multiple documents (array of pointers): %+v\n", results)
+	return resultJSON, count, nil
+}
+
+func (dbobj dbcon) getRequest(rtoken string) (bson.M, error) {
+	//var results []*auditEvent
+	record, err := dbobj.getRecord(TblName.Requests, "rtoken", rtoken)
+	if err != nil {
+		return record, err
+	}
+	fmt.Printf("request record: %s\n", record)
+	userTOKEN := ""
+	change := ""
+	if value, ok := record["token"]; ok {
+		userTOKEN = value.(string)
+	}
+	if value, ok := record["change"]; ok {
+		change = value.(string)
+	}
+	//recBson := bson.M{}
+	if len(change) > 0 {
+		change2, _ := dbobj.userDecrypt(userTOKEN, change)
+		log.Printf("change: %s", change2)
+		record["change"] = change2
+	}
+	return record, nil
+}
diff --git a/ui/site/admin-view-requests.html b/ui/site/admin-view-requests.html
new file mode 100644
index 0000000..c7aa038
--- /dev/null
+++ b/ui/site/admin-view-requests.html
@@ -0,0 +1,185 @@
+<!doctype html>
+<html>
+
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+  <title>Data Bunker - admin / view user requests</title>
+  <link href='https://fonts.googleapis.com/css?family=Roboto' rel='stylesheet' type='text/css'>
+  <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css"
+    integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous">
+  <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.6.3/css/all.css"
+    integrity="sha384-UHRtZLI+pbxtHCWp1t77Bi1L4ZtiqrqD80Kn4Z8NTSRyMA2Fd33n5dQ8lWUE00s/" crossorigin="anonymous">
+  <link rel="stylesheet" href="https://unpkg.com/bootstrap-table@1.15.5/dist/bootstrap-table.min.css">
+  <link rel="stylesheet" href="style.css">
+
+  <script src="https://code.jquery.com/jquery-3.3.1.min.js"
+    integrity="sha256-FgpCb/KJQlLNfOu91ta32o/NMZxltwRo8QtmkMRdAu8=" crossorigin="anonymous"></script>
+  <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js"
+    integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1"
+    crossorigin="anonymous"></script>
+  <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js"
+    integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM"
+    crossorigin="anonymous"></script>
+  <script src="https://unpkg.com/bootstrap-table@1.15.5/dist/bootstrap-table.min.js"></script>
+  <script src="https://unpkg.com/bootstrap-table@1.15.5/dist/bootstrap-table.min.js"></script>
+
+  <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.15.10/highlight.min.js"></script>
+  <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.15.10/languages/json.min.js"></script>
+  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/9.15.10/styles/a11y-dark.min.css">
+
+  <script>
+    var xtoken = window.localStorage.getItem('xtoken');
+    var token = window.localStorage.getItem('token');
+    function displayTargetObject(target, row, index) {
+      if (row.mode) {
+        return '(' + row.mode + ') ' + target;
+      }
+      return target;
+    }
+    function displayActivity(action, row, index) {
+      var app = '';
+      if (row.app) {
+        app = '(' + row.app + ') ';
+      }
+      result = '';
+      if (row.status && row.status == "ok") {
+        result = '<i class="fas fa-check"></i>&nbsp;' + app + action;
+      } else {
+        result = '<i class="fas fa-times"></i>&nbsp;' + app + action;
+      }
+      return result;
+    }
+    function displayDrillDownLink(rtoken, row, index) {
+        console.log(row);
+        return '<a href=\'javascript:displayRequest(\"' + rtoken + '\");\'>*</a>';
+    }
+    var confirmModal;
+
+    function displayRequest(rtoken) {
+      var xhr0 = new XMLHttpRequest();
+      // first save consent
+      xhr0.open('GET', '/v1/request/' + rtoken, false);
+      xhr0.setRequestHeader("X-Bunker-Token", xtoken)
+      xhr0.setRequestHeader('Content-type', 'application/json');
+      xhr0.onload = function () {
+        if (xhr0.status === 200) {
+          console.log(xhr0.responseText);
+          //$('#drilldown').html(xhr0.responseText)
+          //$('#drilldown').append("HELLO");
+          var data = JSON.parse(xhr0.responseText);
+          if (data.status == "ok") {
+            var d = JSON.stringify(data, null, 4);
+            setTimeout(function () {
+              $('#drilldown').html('<code class="json">' + d + '</code>');
+              document.querySelectorAll('pre code').forEach((block) => {
+                hljs.highlightBlock(block);
+              });
+            }, 300);
+          }
+        }
+      }
+      xhr0.send();
+
+      var heading = "Request drill down";
+      var text = "Display event: " + rtoken;
+      var cancelButtonTxt = "Close popup";
+      if (confirmModal) {
+        $('#request-event-text').text(text)
+        confirmModal.modal('show');
+        return;
+      }
+      confirmModal =
+        $('<div class="modal fade" role="dialog"><div class="modal-dialog" role="document"><div class="modal-content">' +
+          '<div class="modal-header">' +
+          '<h5 class="modal-title">' + heading + '</h5>' +
+          '<button type="button" class="close" data-dismiss="modal" aria-label="Close">' +
+          '<span aria-hidden="true">&times;</span></button>' +
+          '</div>' +
+          '<div class="modal-body">' +
+          '<p id="request-event-text">' + text + '</p>' +
+          '<pre id="drilldown"></pre>' +
+          '</div>' +
+          '<div class="modal-footer">' +
+          '<a href="#" class="btn" data-dismiss="modal">' +
+          cancelButtonTxt +
+          '</a>' +
+          '</div>' +
+          '</div></div></div>');
+
+      confirmModal.find('#okButton').click(function (event) {
+        //callback();
+        //cancelConsent(brief);
+        confirmModal.modal('hide');
+      });
+
+      confirmModal.modal('show');
+    }
+
+    $(function () {
+      //$('#msg').text("Loading data")
+      //token = "faa006da-475e-45c6-a4a1-6586dce8b8d2";
+      $('#table').bootstrapTable({
+        /*data: mydata */
+        url: "/v1/requests",
+        undefinedText: 'n/a',
+        /* url: "data1.json", */
+        method: "GET",
+        ajaxOptions: {
+          headers: { "X-Bunker-Token": xtoken },
+          crossDomain: true
+        },
+        showExtendedPagination: true,
+        sidePagination: "server",
+        pagination: true,
+        search: false,
+        classes: "table",
+        onLoadError: function (status, res) {
+          console.log(status);
+          if (status > 400 && status < 500) {
+            document.location = "/";
+          }
+        }
+      });
+    });
+  </script>
+  <script src="site.js"></script>
+</head>
+
+<body>
+  <div class="container">
+    <div class="row col-md-12">
+      <div style="width:100%;">
+        <nav class="navbar navbar-expand-lg navbar-light bg-light">
+          <a class="navbar-brand" href="#">Admin</a>
+          <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarNavAltMarkup"
+            aria-controls="navbarNavAltMarkup" aria-expanded="false" aria-label="Toggle navigation">
+            <span class="navbar-toggler-icon"></span>
+          </button>
+          <div class="collapse navbar-collapse" id="navbarNavAltMarkup">
+            <div class="navbar-nav">
+              <a class="nav-item nav-link active" href="admin-view-requests.html">User requests</a>
+              <a class="nav-item nav-link" href="javascript:bunker_logout();">Logout</a>
+            </div>
+          </div>
+        </nav>
+      </div>
+      <div class="bigblock">
+        <h4>User requests</h4>
+        <p id="msg">All open requests listed below.</p>
+        <table id="table" class="table">
+          <thead>
+            <tr>
+              <th scope="col-1" data-field="when" data-formatter="dateFormat">Time</th>
+              <th scope="col-2" data-field="token" data-formatter="displayTargetObject">User Record Identifier</th>
+              <th scope="col-4" data-field="action" data-formatter="displayActivity">Activity</th>
+              <th scope="col-1" data-field="rtoken" data-formatter="displayDrillDownLink">More</th>
+            </tr>
+          </thead>
+        </table>
+      </div>
+    </div>
+  </div>
+</body>
+
+</html>
\ No newline at end of file