From 51e4b3a83983be9bfae6fbcd7f2c95695266779f Mon Sep 17 00:00:00 2001
From: empty <let5sne.mac@gmail.com>
Date: Sat, 27 Dec 2025 16:24:26 +0800
Subject: [PATCH] =?UTF-8?q?docs:=20=E6=9B=B4=E6=96=B0=20API=20=E8=AE=A4?=
 =?UTF-8?q?=E8=AF=81=E9=85=8D=E7=BD=AE=E8=AF=B4=E6=98=8E?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 添加 new-api/one-api 接入场景说明
- 明确两层安全验证流程
---
 .env.example | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/.env.example b/.env.example
index 1e5bf36..d2f0ea2 100644
--- a/.env.example
+++ b/.env.example
@@ -36,6 +36,10 @@ TUNNEL_TOKEN=
 # CORS_ORIGINS=https://app1.com,https://app2.com
 
 # API Authentication - Protect your API endpoints
-# AUTH_ENABLED=true                    # Enable authentication (required for production)
-# API_KEYS=sk-key1,sk-key2,sk-key3     # Comma-separated API keys (ONLY via env var for security)
-# AUTH_PUBLIC_MODELS=true              # Allow /v1/models without auth
+# Recommended for production or when used as backend for new-api/one-api
+#
+# Security flow: User -> [new-api验证] -> [droid2api验证] -> Factory API
+#
+AUTH_ENABLED=false                     # Set to true to enable authentication
+API_KEYS=sk-internal-secret-key        # Internal key shared with new-api (comma-separated for multiple)
+AUTH_PUBLIC_MODELS=true                # Allow /v1/models without auth