diff --git a/packages/napcat-develop/loadNapCat.cjs b/packages/napcat-develop/loadNapCat.cjs
index aa58889a..1e43cffc 100644
--- a/packages/napcat-develop/loadNapCat.cjs
+++ b/packages/napcat-develop/loadNapCat.cjs
@@ -74,7 +74,9 @@ async function copyAll () {
   process.env.NAPCAT_QQ_VERSION_CONFIG_PATH = path.join(TARGET_DIR, 'config.json');
   process.env.NAPCAT_DISABLE_PIPE = '1';
   process.env.NAPCAT_WORKDIR = TARGET_DIR;
-
+  // 开发环境使用固定密钥
+  process.env.NAPCAT_WEBUI_JWT_SECRET_KEY = 'napcat_dev_secret_key';
+  process.env.NAPCAT_WEBUI_SECRET_KEY = 'napcat';
   console.log('Loading NapCat module...');
   await import(pathToFileURL(NAPCAT_MJS_PATH).href);
 }
diff --git a/packages/napcat-webui-backend/index.ts b/packages/napcat-webui-backend/index.ts
index af9e39ff..012d7d7d 100644
--- a/packages/napcat-webui-backend/index.ts
+++ b/packages/napcat-webui-backend/index.ts
@@ -92,7 +92,7 @@ export async function InitWebUi (logger: LogWrapper, pathWrapper: NapCatPathWrap
 
   // 检查并更新默认密码 - 最高优先级
   if (config.token === 'napcat' || !config.token) {
-    const randomToken = getRandomToken(8);
+    const randomToken = process.env['NAPCAT_WEBUI_SECRET_KEY'] || getRandomToken(8);
     await WebUiConfig.UpdateWebUIConfig({ token: randomToken });
     logger.log('[NapCat] [WebUi] 检测到默认密码，已自动更新为安全密码');
 
diff --git a/packages/napcat-webui-backend/src/helper/SignToken.ts b/packages/napcat-webui-backend/src/helper/SignToken.ts
index 2d8fb6d9..40d61683 100644
--- a/packages/napcat-webui-backend/src/helper/SignToken.ts
+++ b/packages/napcat-webui-backend/src/helper/SignToken.ts
@@ -2,7 +2,7 @@ import crypto from 'crypto';
 import store from 'napcat-common/src/store';
 import type { WebUiCredentialJson, WebUiCredentialInnerJson } from '@/napcat-webui-backend/src/types';
 export class AuthHelper {
-  private static readonly secretKey = Math.random().toString(36).slice(2);
+  private static readonly secretKey = process.env['NAPCAT_WEBUI_JWT_SECRET_KEY'] || Math.random().toString(36).slice(2);
 
   /**
      * 签名凭证方法。