diff --git a/doc/prompts/auth-web.mdx b/doc/prompts/auth-web.mdx
index e2c70abf..edb69a28 100644
--- a/doc/prompts/auth-web.mdx
+++ b/doc/prompts/auth-web.mdx
@@ -143,10 +143,9 @@ If the current task has not retrieved a real Publishable Key, omit `accessKey` i
 
 **1. Phone OTP (Recommended)**
 - Automatically use `auth-tool-cloudbase` to turn on `SMS Login` through `manageAppAuth`
-- Send the phone number to `auth.signInWithOtp({ phone, ... })`, then call the returned `verifyOtp({ token })`.
-- `signInWithOtp` can automatically create a new user if the user does not exist; control this via `shouldCreateUser` parameter (default `true`).
+- For phone registration, send the phone number to `auth.signUp({ phone, ... })` first, then call the returned `verifyOtp({ token })`. Do not swap the order.
 ```js
-const { data, error } = await auth.signInWithOtp({ phone: '13800138000' })
+const { data, error } = await auth.signUp({ phone: '13800138000' })
 const { data: loginData, error: loginError } = await data.verifyOtp({ token:'123456' })
 ```
 
diff --git a/mcp/src/tools/permissions.ts b/mcp/src/tools/permissions.ts
index 350bc3f3..b580e275 100644
--- a/mcp/src/tools/permissions.ts
+++ b/mcp/src/tools/permissions.ts
@@ -593,7 +593,7 @@ export function registerPermissionTools(server: ExtendedMcpServer) {
         uid: z.string().optional(),
         uids: z.array(z.string()).optional(),
         username: z.string().optional(),
-        password: z.string().optional(),
+        password: z.string().optional().describe("当 action='createUser' 时，password 为必填参数"),
         userStatus: z.enum(["ACTIVE", "BLOCKED"]).optional(),
       },
       annotations: {