diff --git a/src/plugins/apiauth.ts b/src/plugins/apiauth.ts
index b70aea9..3a75e84 100644
--- a/src/plugins/apiauth.ts
+++ b/src/plugins/apiauth.ts
@@ -8,6 +8,9 @@ import fastifyPlugin from 'fastify-plugin'
 import { User } from '../models/User'
 import { ZError } from '../common/ZError'
 
+const isProd = process.env.NODE_ENV === 'production'
+const SERVER_TOKEN = 'ibDbuTmpQn3f48uJr2mBMkGrqvIhSbIg'
+
 declare module 'fastify' {
   interface FastifyInstance {
     apiAuth: (request: FastifyRequest, reply: FastifyReply) => {};
@@ -29,7 +32,10 @@ const apiAuthPlugin: FastifyPluginAsync = async function (
   fastify.decorate('apiAuth', async function (request: FastifyRequest, reply: FastifyReply) {
     if (request.url.startsWith('/svr')) {
       // @ts-ignore
-      let { accountid } = request.params
+      let { accountid, token } = request.params
+      if (isProd && (!token || token != SERVER_TOKEN)) {
+        throw new ZError(403, 'no auth')
+      }
       if (accountid) {
         request.user = await User.findById(accountid)
       }
diff --git a/src/service/mail.ts b/src/service/mail.ts
index 47ae0b9..3646215 100644
--- a/src/service/mail.ts
+++ b/src/service/mail.ts
@@ -1,7 +1,8 @@
 import axios from 'axios'
 import { generateKeyValStr } from '../utils/string.util'
 
-const MAIL_ATTACHMENT_URL = 'https://gamemail.kingsome.cn/webapp/index.php?c=Mail&a=getAttachment'
+const isProd = process.env.NODE_ENV === 'production'
+const MAIL_ATTACHMENT_URL = `https://gamemail${isProd ? '' : '-test'}.kingsome.cn/webapp/index.php?c=Mail&a=getAttachment`
 
 /**
  * 领取邮件附件