docs: 更新 API 认证配置说明

- 添加 new-api/one-api 接入场景说明
- 明确两层安全验证流程

.env.example

@@ -36,6 +36,10 @@ TUNNEL_TOKEN=
 # CORS_ORIGINS=https://app1.com,https://app2.com
 
 # API Authentication - Protect your API endpoints
-# AUTH_ENABLED=true                    # Enable authentication (required for production)
+# Recommended for production or when used as backend for new-api/one-api
-# API_KEYS=sk-key1,sk-key2,sk-key3     # Comma-separated API keys (ONLY via env var for security)
+#
-# AUTH_PUBLIC_MODELS=true              # Allow /v1/models without auth
+# Security flow: User -> [new-api验证] -> [droid2api验证] -> Factory API
+#
+AUTH_ENABLED=false                     # Set to true to enable authentication
+API_KEYS=sk-internal-secret-key        # Internal key shared with new-api (comma-separated for multiple)
+AUTH_PUBLIC_MODELS=true                # Allow /v1/models without auth