diff --git a/openapi.json b/openapi.json
index 02e9ff1..0fc8af7 100644
--- a/openapi.json
+++ b/openapi.json
@@ -1,5 +1,5 @@
 {
-  "hash": "8428bef64b9fc5a5c46282383ecf8d80999b834f948d8a5b3565c9306068f66b",
+  "hash": "34dedce5ff47f2ac9afe45bfb1b11644bb29350644ea35b7a48ef45ea1d2020f",
   "openapi": "3.0.0",
   "paths": {
     "/hello": {
@@ -5816,6 +5816,17 @@
             "type": "boolean",
             "description": "不存在用户时是否自动注册"
           },
+          "active": {
+            "type": "boolean",
+            "description": "自动注册时是否启用（不传则使用服务端默认）"
+          },
+          "roles": {
+            "description": "自动注册时的角色（不传则使用服务端默认）",
+            "type": "array",
+            "items": {
+              "type": "string"
+            }
+          },
           "ns": {
             "type": "string",
             "description": "命名空间"
@@ -5869,6 +5880,17 @@
             "type": "boolean",
             "description": "不存在用户时是否自动注册"
           },
+          "active": {
+            "type": "boolean",
+            "description": "自动注册时是否启用（不传则使用服务端默认）"
+          },
+          "roles": {
+            "description": "自动注册时的角色（不传则使用服务端默认）",
+            "type": "array",
+            "items": {
+              "type": "string"
+            }
+          },
           "ns": {
             "type": "string",
             "description": "命名空间"
@@ -5914,6 +5936,17 @@
             "type": "boolean",
             "description": "不存在用户时是否自动注册"
           },
+          "active": {
+            "type": "boolean",
+            "description": "自动注册时是否启用（不传则使用服务端默认）"
+          },
+          "roles": {
+            "description": "自动注册时的角色（不传则使用服务端默认）",
+            "type": "array",
+            "items": {
+              "type": "string"
+            }
+          },
           "ns": {
             "type": "string",
             "description": "命名空间"
@@ -6305,6 +6338,10 @@
             "items": {
               "type": "string"
             }
+          },
+          "acl": {
+            "type": "object",
+            "description": "访问控制列表"
           }
         },
         "required": [
diff --git a/src/auth/auth.controller.ts b/src/auth/auth.controller.ts
index ed1ee01..1229933 100644
--- a/src/auth/auth.controller.ts
+++ b/src/auth/auth.controller.ts
@@ -265,6 +265,8 @@ export class AuthController {
         registerIp: dto.registerIp,
         registerRegion: dto.registerRegion,
         type: dto.type,
+        ...(dto.active !== undefined && { active: dto.active }),
+        ...(dto.roles !== undefined && { roles: dto.roles }),
       });
     }
 
@@ -308,6 +310,8 @@ export class AuthController {
         registerIp: dto.registerIp,
         registerRegion: dto.registerRegion,
         type: dto.type,
+        ...(dto.active !== undefined && { active: dto.active }),
+        ...(dto.roles !== undefined && { roles: dto.roles }),
       });
     }
 
@@ -352,6 +356,8 @@ export class AuthController {
         registerIp: dto.registerIp,
         registerRegion: dto.registerRegion,
         type: dto.type,
+        ...(dto.active !== undefined && { active: dto.active }),
+        ...(dto.roles !== undefined && { roles: dto.roles }),
       });
     }
 
@@ -501,10 +507,12 @@ export class AuthController {
     }
 
     const jwtpayload: JwtPayload = {
+      roles: user.roles,
       ns: user.ns,
       type: user.type,
       groups: user.groups,
       permissions: dto.permissions,
+      acl: dto.acl,
     };
 
     const token = this.jwtService.sign(jwtpayload, {
diff --git a/src/auth/dto/login.dto.ts b/src/auth/dto/login.dto.ts
index 6fec2e3..d1b54f1 100644
--- a/src/auth/dto/login.dto.ts
+++ b/src/auth/dto/login.dto.ts
@@ -47,6 +47,20 @@ export class LoginByPhoneDto {
   @IsBoolean()
   autoRegister?: boolean;
 
+  /**
+   * 自动注册时是否启用（不传则使用服务端默认）
+   */
+  @IsOptional()
+  @IsBoolean()
+  active?: boolean;
+
+  /**
+   * 自动注册时的角色（不传则使用服务端默认）
+   */
+  @IsOptional()
+  @IsString({ each: true })
+  roles?: string[];
+
   /**
    * 命名空间
    */
@@ -105,6 +119,20 @@ export class LoginByPhoneQuickAuthDto {
   @IsBoolean()
   autoRegister?: boolean;
 
+  /**
+   * 自动注册时是否启用（不传则使用服务端默认）
+   */
+  @IsOptional()
+  @IsBoolean()
+  active?: boolean;
+
+  /**
+   * 自动注册时的角色（不传则使用服务端默认）
+   */
+  @IsOptional()
+  @IsString({ each: true })
+  roles?: string[];
+
   /**
    * 命名空间
    */
@@ -178,6 +206,20 @@ export class LoginByEmailDto {
   @IsBoolean()
   autoRegister?: boolean;
 
+  /**
+   * 自动注册时是否启用（不传则使用服务端默认）
+   */
+  @IsOptional()
+  @IsBoolean()
+  active?: boolean;
+
+  /**
+   * 自动注册时的角色（不传则使用服务端默认）
+   */
+  @IsOptional()
+  @IsString({ each: true })
+  roles?: string[];
+
   /**
    * 命名空间
    */
diff --git a/src/auth/dto/sign-token.dto.ts b/src/auth/dto/sign-token.dto.ts
index 1df4b7e..5d66f77 100644
--- a/src/auth/dto/sign-token.dto.ts
+++ b/src/auth/dto/sign-token.dto.ts
@@ -1,4 +1,6 @@
-import { IsNotEmpty, IsOptional, IsString } from 'class-validator';
+import { IsNotEmpty, IsObject, IsOptional, IsString } from 'class-validator';
+
+import { Acl } from 'src/auth/entities/jwt.entity';
 
 export class SignTokenDto {
   /**
@@ -35,4 +37,11 @@ export class SignTokenDto {
   @IsOptional()
   @IsString({ each: true })
   permissions?: string[];
+
+  /**
+   * 访问控制列表
+   */
+  @IsOptional()
+  @IsObject()
+  acl?: Acl;
 }