diff --git a/middleware/auth.go b/middleware/auth.go
index 78a091a..bc0ab29 100644
--- a/middleware/auth.go
+++ b/middleware/auth.go
@@ -29,8 +29,10 @@ func NewJWTService(secret string, expiresIn time.Duration) *JWTService {
 // 生成带HMAC签名的Token
 func (s *JWTService) GenerateToken() (string, error) {
 	claims := jwt.MapClaims{
-		"exp": time.Now().Add(s.expiresIn).Unix(),
-		"iat": time.Now().Unix(),
+		"exp":       time.Now().Add(s.expiresIn).Unix(),
+		"iat":       time.Now().Unix(),
+		"tokenType": "device",
+		"issuedBy":  "device-auth",
 	}
 
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
diff --git a/routes/routes.go b/routes/routes.go
index e09405b..a911e74 100644
--- a/routes/routes.go
+++ b/routes/routes.go
@@ -17,6 +17,26 @@ func SetupRouter() *gin.Engine {
 	kindergartenAdminController := controllers.NewKindergartenAdminController()
 	userAdminController := controllers.NewUserAdminController()
 	systemDebugController := controllers.NewSystemDebugController()
+	deviceTokenHandler := func(c *gin.Context) {
+		clientSecret := c.GetHeader("X-API-Key")
+		if clientSecret != middleware.ApiSecret {
+			c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid secret"})
+			return
+		}
+
+		token, err := jwtService.GenerateToken()
+		if err != nil {
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to generate token"})
+			return
+		}
+
+		c.JSON(http.StatusOK, gin.H{
+			"token":     token,
+			"tokenType": "device",
+		})
+	}
+
+	r.GET("/auth/token", deviceTokenHandler)
 
 	v1 := r.Group("/api/v1")
 	{
@@ -69,22 +89,7 @@ func SetupRouter() *gin.Engine {
 		}
 		auth := v1.Group("/auth")
 		{
-			auth.GET("/token", func(c *gin.Context) {
-
-				clientSecret := c.GetHeader("X-API-Key")
-				if clientSecret != middleware.ApiSecret {
-					c.JSON(http.StatusUnauthorized, gin.H{"error": "invalid secret"})
-					return
-				}
-
-				token, err := jwtService.GenerateToken()
-				if err != nil {
-					c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to generate token"})
-					return
-				}
-
-				c.JSON(http.StatusOK, gin.H{"token": token})
-			})
+			auth.GET("/token", deviceTokenHandler)
 		}
 	}
 	return r