diff --git a/app/api/config/route.ts b/app/api/config/route.ts
index e04e22a0c..90596c5ae 100644
--- a/app/api/config/route.ts
+++ b/app/api/config/route.ts
@@ -8,6 +8,7 @@ const serverConfig = getServerSideConfig();
 // 警告！不要在这里写入任何敏感信息！
 const DANGER_CONFIG = {
   needCode: serverConfig.needCode,
+  disableUserToken: serverConfig.disableUserToken,
 };
 
 declare global {
@@ -17,5 +18,6 @@ declare global {
 export async function POST(req: NextRequest) {
   return NextResponse.json({
     needCode: serverConfig.needCode,
+    disableUserToken: serverConfig.disableUserToken,
   });
 }
diff --git a/app/components/settings.tsx b/app/components/settings.tsx
index 4dba46b43..d5f784aac 100644
--- a/app/components/settings.tsx
+++ b/app/components/settings.tsx
@@ -215,8 +215,8 @@ export function Settings() {
   }
 
   const accessStore = useAccessStore();
-  const enabledAccessControl = useMemo(
-    () => accessStore.enabledAccessControl(),
+  const accessControl = useMemo(
+    () => accessStore.accessControl(),
     // eslint-disable-next-line react-hooks/exhaustive-deps
     [],
   );
@@ -450,7 +450,7 @@ export function Settings() {
         </List>
 
         <List>
-          {enabledAccessControl ? (
+          {accessControl.needCode ? (
             <SettingItem
               title={Locale.Settings.AccessCode.Title}
               subTitle={Locale.Settings.AccessCode.SubTitle}
@@ -468,19 +468,23 @@ export function Settings() {
             <></>
           )}
 
-          <SettingItem
-            title={Locale.Settings.Token.Title}
-            subTitle={Locale.Settings.Token.SubTitle}
-          >
-            <PasswordInput
-              value={accessStore.token}
-              type="text"
-              placeholder={Locale.Settings.Token.Placeholder}
-              onChange={(e) => {
-                accessStore.updateToken(e.currentTarget.value);
-              }}
-            />
-          </SettingItem>
+          {!accessControl.disableUserToken ? (
+            <SettingItem
+              title={Locale.Settings.Token.Title}
+              subTitle={Locale.Settings.Token.SubTitle}
+            >
+              <PasswordInput
+                value={accessStore.token}
+                type="text"
+                placeholder={Locale.Settings.Token.Placeholder}
+                onChange={(e) => {
+                  accessStore.updateToken(e.currentTarget.value);
+                }}
+              />
+            </SettingItem>
+          ) : (
+            <></>
+          )}
 
           <SettingItem
             title={Locale.Settings.Usage.Title}
diff --git a/app/config/server.ts b/app/config/server.ts
index 798177e59..a2c85ee65 100644
--- a/app/config/server.ts
+++ b/app/config/server.ts
@@ -36,6 +36,7 @@ export const getServerSideConfig = () => {
     code: process.env.CODE,
     codes: ACCESS_CODES,
     needCode: ACCESS_CODES.size > 0,
+    disableUserToken: process.env.DISABLE_USER_TOKEN === "true",
     proxyUrl: process.env.PROXY_URL,
     isVercel: !!process.env.VERCEL,
   };
diff --git a/app/requests.ts b/app/requests.ts
index 0e7570904..d3be4d925 100644
--- a/app/requests.ts
+++ b/app/requests.ts
@@ -50,11 +50,16 @@ function getHeaders() {
   const accessStore = useAccessStore.getState();
   let headers: Record<string, string> = {};
 
-  if (accessStore.enabledAccessControl()) {
+  const accessControl = accessStore.accessControl();
+  if (accessControl.needCode) {
     headers["access-code"] = accessStore.accessCode;
   }
 
-  if (accessStore.token && accessStore.token.length > 0) {
+  if (
+    !accessControl.disableUserToken &&
+    accessStore.token &&
+    accessStore.token.length > 0
+  ) {
     headers["token"] = accessStore.token;
   }
 
diff --git a/app/store/access.ts b/app/store/access.ts
index aed131684..bb4ac2d9a 100644
--- a/app/store/access.ts
+++ b/app/store/access.ts
@@ -6,10 +6,14 @@ export interface AccessControlStore {
   token: string;
 
   needCode: boolean;
+  disableUserToken: boolean;
 
   updateToken: (_: string) => void;
   updateCode: (_: string) => void;
-  enabledAccessControl: () => boolean;
+  accessControl: () => {
+    needCode: boolean;
+    disableUserToken: boolean;
+  };
   isAuthorized: () => boolean;
   fetch: () => void;
 }
@@ -24,10 +28,14 @@ export const useAccessStore = create<AccessControlStore>()(
       token: "",
       accessCode: "",
       needCode: true,
-      enabledAccessControl() {
+      disableUserToken: false,
+      accessControl() {
         get().fetch();
 
-        return get().needCode;
+        return {
+          needCode: get().needCode,
+          disableUserToken: get().disableUserToken,
+        };
       },
       updateCode(code: string) {
         set((state) => ({ accessCode: code }));
@@ -37,8 +45,11 @@ export const useAccessStore = create<AccessControlStore>()(
       },
       isAuthorized() {
         // has token or has code or disabled access control
+        const accessControl = get().accessControl();
         return (
-          !!get().token || !!get().accessCode || !get().enabledAccessControl()
+          !accessControl.needCode ||
+          !!get().accessCode ||
+          (!!get().token && !accessControl.disableUserToken)
         );
       },
       fetch() {
diff --git a/middleware.ts b/middleware.ts
index d16a812d9..ea47b8eda 100644
--- a/middleware.ts
+++ b/middleware.ts
@@ -30,7 +30,7 @@ export function middleware(req: NextRequest) {
   console.log("[User IP] ", getIP(req));
   console.log("[Time] ", new Date().toLocaleString());
 
-  if (serverConfig.needCode && !serverConfig.codes.has(hashedCode) && !token) {
+  if (serverConfig.needCode && !serverConfig.codes.has(hashedCode) && (!token || serverConfig.disableUserToken)) {
     return NextResponse.json(
       {
         error: true,
@@ -44,7 +44,7 @@ export function middleware(req: NextRequest) {
   }
 
   // inject api key
-  if (!token) {
+  if (!token || serverConfig.disableUserToken) {
     const apiKey = serverConfig.apiKey;
     if (apiKey) {
       console.log("[Auth] set system token");