diff --git a/frontends/wechatapp.py b/frontends/wechatapp.py
index 52aee39a..5b9591be 100644
--- a/frontends/wechatapp.py
+++ b/frontends/wechatapp.py
@@ -6,6 +6,10 @@
 sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
 _TEMP_DIR = os.path.join(os.path.dirname(os.path.dirname(os.path.abspath(__file__))), 'temp')
 from agentmain import GeneraticAgent
+from llmcore import mykeys
+from chatapp_common import public_access
+
+ALLOWED = {str(x).strip() for x in mykeys.get('wechat_allowed_users', []) if str(x).strip()}
 
 # ── WxBotClient (inline from wx_bot_client.py) ──
 API = 'https://ilinkai.weixin.qq.com'
@@ -233,6 +237,9 @@ def on_message(bot, msg):
     text = bot.extract_text(msg).strip()
     uid = msg.get('from_user_id', '')
     ctx = msg.get('context_token', '')
+    if not public_access(ALLOWED) and uid not in ALLOWED:
+        print(f'[WX] unauthorized user: {uid}', file=sys.__stdout__)
+        return
     media_paths = _dl_media(msg.get('item_list', []))
     if not text and not media_paths: return
     if media_paths:
diff --git a/mykey_template.py b/mykey_template.py
index 9f938e7c..3b522ca6 100644
--- a/mykey_template.py
+++ b/mykey_template.py
@@ -392,6 +392,7 @@
 # wecom_secret = 'your_bot_secret'
 # wecom_allowed_users = ['your_user_id']            # 留空或 ['*'] 表示允许所有企业微信用户
 # wecom_welcome_message = '你好，我在线上。'
+# wechat_allowed_users = ['from_user_id']           # 留空或 ['*'] 表示允许所有微信用户
 # dingtalk_client_id = 'your_app_key'
 # dingtalk_client_secret = 'your_app_secret'
 # dingtalk_allowed_users = ['your_staff_id']        # 留空或 ['*'] 表示允许所有钉钉用户