diff --git a/.env.example b/.env.example
index 1e5bf36..d2f0ea2 100644
--- a/.env.example
+++ b/.env.example
@@ -36,6 +36,10 @@ TUNNEL_TOKEN=
 # CORS_ORIGINS=https://app1.com,https://app2.com
 
 # API Authentication - Protect your API endpoints
-# AUTH_ENABLED=true                    # Enable authentication (required for production)
-# API_KEYS=sk-key1,sk-key2,sk-key3     # Comma-separated API keys (ONLY via env var for security)
-# AUTH_PUBLIC_MODELS=true              # Allow /v1/models without auth
+# Recommended for production or when used as backend for new-api/one-api
+#
+# Security flow: User -> [new-api验证] -> [droid2api验证] -> Factory API
+#
+AUTH_ENABLED=false                     # Set to true to enable authentication
+API_KEYS=sk-internal-secret-key        # Internal key shared with new-api (comma-separated for multiple)
+AUTH_PUBLIC_MODELS=true                # Allow /v1/models without auth