diff --git a/DESIGN.md b/DESIGN.md
index 4bf40d7..4e64ff2 100644
--- a/DESIGN.md
+++ b/DESIGN.md
@@ -12,15 +12,16 @@ npm install
 npm start                    # 默认 3000 端口, ./storage 目录
 PORT=8080 npm start         # 指定端口
 STORAGE_DIR=/data myoss     # 指定存储目录
-PORT=8080 STORAGE_DIR=/data myoss  # 同时指定
+
+# 首次启动需要设置管理员密码
+ADMIN_PASSWORD=yourpassword npm start
 ```
 
-## 使用方法
-
-### 1. 创建首个 API Key（bootstrap）
+### 初始化首个 API Key
 ```bash
-curl -X POST http://localhost:3000/api/keys/bootstrap -H "Content-Type: application/json" -d '{"name":"root"}'
-# 返回: {"key":"xxx","name":"root"}
+curl -X POST http://localhost:3000/api/keys/bootstrap \
+  -H "Content-Type: application/json" \
+  -d '{"password":"yourpassword","name":"root"}'
 ```
 
 ### 2. 上传文件
diff --git a/config/index.js b/config/index.js
index d2a1af1..86bba3d 100644
--- a/config/index.js
+++ b/config/index.js
@@ -1,5 +1,8 @@
 module.exports = {
   port: process.env.PORT || 3000,
+  admin: {
+    password: process.env.ADMIN_PASSWORD || '',
+  },
   storage: {
     baseDir: process.env.STORAGE_DIR || './storage',
     get filesDir() { return this.baseDir + '/files'; },
diff --git a/src/routes/index.js b/src/routes/index.js
index a7e6296..088425a 100644
--- a/src/routes/index.js
+++ b/src/routes/index.js
@@ -22,16 +22,20 @@ const initModels = async () => {
 initModels().catch(console.error);
 
 router.post('/keys/bootstrap', async (req, res) => {
-  if (!models) return res.status(500).json({ error: 'Not initialized' });
-  const { APIKey } = models;
+  const { APIKey } = getModels();
   const count = APIKey.count();
   if (count > 0) {
     return res.status(403).json({ error: 'Bootstrap not allowed' });
   }
   
+  const { password, name } = req.body;
+  if (!config.admin.password || password !== config.admin.password) {
+    return res.status(401).json({ error: 'Invalid admin password' });
+  }
+  
   const key = CryptoJS.lib.WordArray.random(16).toString();
-  const name = req.body.name || 'Root';
-  const apiKey = APIKey.create({ key, name, ownerId: 0 });
+  const keyName = name || 'Root';
+  const apiKey = APIKey.create({ key, name: keyName, ownerId: 0 });
   
   const dir = path.join(config.storage.filesDir, 'root');
   if (!fs.existsSync(dir)) {