diff --git a/README.md b/README.md
index 3b17f49..ca30091 100644
--- a/README.md
+++ b/README.md
@@ -49,7 +49,12 @@ CREATE TABLE IF NOT EXISTS logs (
 ```
 8. 选择部署完成short项目，前往后台依次点击`设置`->`函数`->`D1 数据库绑定`->`编辑绑定`->变量名称填写：`DB` 命名空间 `选择你提前创建好的D1` 数据库绑定
 
-9. 重新部署项目，完成。
+9. （可选）如需启用访问令牌保护，前往`设置`->`环境变量`，添加环境变量：
+   - 变量名称：`ACCESS_TOKEN`
+   - 值：设置你的访问令牌（例如：`your-secret-token-here`）
+   - 如果设置了此环境变量，所有创建短链接的请求都需要在 Authorization 头中提供该令牌
+
+10. 重新部署项目，完成。
 
 
 ### API
@@ -63,6 +68,9 @@ curl -X POST -H "Content-Type: application/json" -d '{"url":"https://131213.xyz"
 # 指定slug
 curl -X POST -H "Content-Type: application/json" -d '{"url":"https://131213.xyz","slug":"scxs"}' https://d.131213.xyz/create
 
+# 使用访问令牌（如果服务器设置了 ACCESS_TOKEN 环境变量）
+curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer your-token-here" -d '{"url":"https://131213.xyz"}' https://d.131213.xyz/create
+
 ```
 
 
diff --git a/functions/create.js b/functions/create.js
index 88f5d53..7a48229 100644
--- a/functions/create.js
+++ b/functions/create.js
@@ -22,7 +22,7 @@ export async function onRequest(context) {
             headers: {
                 'Access-Control-Allow-Origin': '*',
                 'Access-Control-Allow-Methods': 'POST, OPTIONS',
-                'Access-Control-Allow-Headers': 'Content-Type',
+                'Access-Control-Allow-Headers': 'Content-Type, Authorization',
                 'Access-Control-Max-Age': '86400', // 24小时
             },
         });
@@ -49,9 +49,23 @@ export async function onRequest(context) {
     const { url, slug } = await request.json();
     const corsHeaders = {
         'Access-Control-Allow-Origin': '*',
-        'Access-Control-Allow-Headers': 'Content-Type',
+        'Access-Control-Allow-Headers': 'Content-Type, Authorization',
         'Access-Control-Max-Age': '86400', // 24 hours
     };
+
+    // Check ACCESS_TOKEN if set
+    if (env.ACCESS_TOKEN) {
+        const authHeader = request.headers.get('Authorization');
+        const token = authHeader?.replace('Bearer ', '');
+        
+        if (!token || token !== env.ACCESS_TOKEN) {
+            return Response.json({ message: 'Unauthorized: Invalid or missing access token.' }, {
+                headers: corsHeaders,
+                status: 401
+            });
+        }
+    }
+
     if (!url) return Response.json({ message: 'Missing required parameter: url.' });
 
     // url格式检查
diff --git a/index.html b/index.html
index 8556421..e5b21b9 100644
--- a/index.html
+++ b/index.html
@@ -213,6 +213,10 @@
           <input placeholder="slug" x-model="slug" />
           <small>Slug 默认是随机生成的短 id。</small>
         </div>
+        <div>
+          <input placeholder="access token (可选)" x-model="token" type="password" />
+          <small>如果服务器设置了访问令牌，请在此输入。</small>
+        </div>
       </details>
       <button :class="{ loading }" :disabled="loading || isValidated()" @click="submit($refs, $nextTick)">生成</button>
     </main>
@@ -224,6 +228,7 @@
       const app = {
         url: '',
         slug: '',
+        token: '',
         alert: null,
         loading: false,
         isValidated () {
@@ -246,9 +251,12 @@
           const body = { url: this.url }
           if (this.slug) body.slug = this.slug
 
+          const headers = { 'content-type': 'application/json' }
+          if (this.token) headers['Authorization'] = `Bearer ${this.token}`
+
           fetch('/create', {
             method: 'post',
-            headers: { 'content-type': 'application/json' },
+            headers: headers,
             body: JSON.stringify(body)
           })
             .then(res => res.json())