diff --git a/backend/app/Controller/api/v1/AuthController.php b/backend/app/Controller/api/v1/AuthController.php
index 4124653..ce814df 100644
--- a/backend/app/Controller/api/v1/AuthController.php
+++ b/backend/app/Controller/api/v1/AuthController.php
@@ -246,8 +246,10 @@ class AuthController extends AbstractController
             ])->withStatus(403);
         }
 
-        // 生成 Access Token
-        $token = $auth->guard('jwt')->login($user);
+        $user->load('role');
+
+        // 生成 Access Token（注入 role 到 JWT payload，前端从 JWT 解码 role 作为可信权限来源）
+        $token = $auth->guard('jwt')->login($user, ['role' => $user->role?->name ?? 'accessor']);
 
         // 生成 Refresh Token
         $refreshToken = bin2hex(random_bytes(32));
@@ -255,8 +257,6 @@ class AuthController extends AbstractController
         $user->refresh_token_expires_at = Carbon::now()->addDays(30);
         $user->save();
 
-        $user->load('role');
-
         OperationLogService::log(
             user_id: $user->id,
             action: 'auth.login',
@@ -355,8 +355,9 @@ class AuthController extends AbstractController
             ])->withStatus(403);
         }
 
-        // 生成新的 Access Token
-        $token = $auth->guard('jwt')->login($user);
+        // 生成新的 Access Token（注入 role 到 JWT payload）
+        $user->load('role');
+        $token = $auth->guard('jwt')->login($user, ['role' => $user->role?->name ?? 'accessor']);
 
         // 生成新的 Refresh Token（轮换以提升安全性）
         $newRefreshToken = bin2hex(random_bytes(32));