diff --git a/powerjob-client/src/main/java/tech/powerjob/client/module/AppAuthResult.java b/powerjob-client/src/main/java/tech/powerjob/client/module/AppAuthResult.java
index 74c109e2..1e402994 100644
--- a/powerjob-client/src/main/java/tech/powerjob/client/module/AppAuthResult.java
+++ b/powerjob-client/src/main/java/tech/powerjob/client/module/AppAuthResult.java
@@ -5,6 +5,7 @@ import lombok.Setter;
 import lombok.ToString;
 
 import java.io.Serializable;
+import java.util.Map;
 
 /**
  * App 鉴权响应
@@ -21,5 +22,9 @@ public class AppAuthResult implements Serializable {
 
     private String token;
 
-    private String extra;
+    /**
+     * 额外参数
+     * 有安全需求的开发者可执行扩展
+     */
+    private Map<String, Object> extra;
 }
diff --git a/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/common/AuthErrorCode.java b/powerjob-common/src/main/java/tech/powerjob/common/enums/ErrorCodes.java
similarity index 65%
rename from powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/common/AuthErrorCode.java
rename to powerjob-common/src/main/java/tech/powerjob/common/enums/ErrorCodes.java
index 29958cc4..81a65792 100644
--- a/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/common/AuthErrorCode.java
+++ b/powerjob-common/src/main/java/tech/powerjob/common/enums/ErrorCodes.java
@@ -1,4 +1,4 @@
-package tech.powerjob.server.auth.common;
+package tech.powerjob.common.enums;
 
 import lombok.AllArgsConstructor;
 import lombok.Getter;
@@ -11,7 +11,7 @@ import lombok.Getter;
  */
 @Getter
 @AllArgsConstructor
-public enum AuthErrorCode {
+public enum ErrorCodes {
 
     USER_NOT_LOGIN("-100", "UserNotLoggedIn"),
     USER_NOT_EXIST("-101", "UserNotExist"),
@@ -33,7 +33,18 @@ public enum AuthErrorCode {
 
     INVALID_TOKEN("-401", "INVALID_TOKEN"),
 
-    OPEN_API_AUTH_FAILED("-1001", "OPEN_API_AUTH_FAILED"),
+    INVALID_APP("-402", "INVALID_APP"),
+
+    /**
+     * 系统内部异常
+     */
+    SYSTEM_UNKNOWN_ERROR("-500", "SYS_UNKNOWN_ERROR"),
+
+    /**
+     * OPENAPI 错误码号段 -10XX
+     */
+    OPEN_API_PASSWORD_ERROR("-1001", "OPEN_API_PASSWORD_ERROR"),
+    OPEN_API_AUTH_FAILED("-1002", "OPEN_API_AUTH_FAILED"),
 
     ;
 
diff --git a/powerjob-common/src/main/java/tech/powerjob/common/exception/PowerJobException.java b/powerjob-common/src/main/java/tech/powerjob/common/exception/PowerJobException.java
index 3ce68960..442e5bcd 100644
--- a/powerjob-common/src/main/java/tech/powerjob/common/exception/PowerJobException.java
+++ b/powerjob-common/src/main/java/tech/powerjob/common/exception/PowerJobException.java
@@ -2,6 +2,7 @@ package tech.powerjob.common.exception;
 
 import lombok.Getter;
 import lombok.Setter;
+import tech.powerjob.common.enums.ErrorCodes;
 
 /**
  * PowerJob 运行时异常
@@ -22,6 +23,11 @@ public class PowerJobException extends RuntimeException {
         super(message);
     }
 
+    public PowerJobException(ErrorCodes errorCode, String extraMsg) {
+        super(extraMsg == null ? errorCode.getMsg() : errorCode.getMsg().concat(":").concat(extraMsg));
+        this.code = errorCode.getCode();
+    }
+
     public PowerJobException(String message, Throwable cause) {
         super(message, cause);
     }
diff --git a/powerjob-common/src/main/java/tech/powerjob/common/response/PowerResultDTO.java b/powerjob-common/src/main/java/tech/powerjob/common/response/PowerResultDTO.java
index e7dea0b9..e582f764 100644
--- a/powerjob-common/src/main/java/tech/powerjob/common/response/PowerResultDTO.java
+++ b/powerjob-common/src/main/java/tech/powerjob/common/response/PowerResultDTO.java
@@ -3,6 +3,8 @@ package tech.powerjob.common.response;
 import lombok.Getter;
 import lombok.Setter;
 import org.apache.commons.lang3.exception.ExceptionUtils;
+import tech.powerjob.common.enums.ErrorCodes;
+import tech.powerjob.common.exception.PowerJobException;
 
 /**
  * 新的 Result，带状态码
@@ -31,7 +33,15 @@ public class PowerResultDTO<T> extends ResultDTO<T> {
     }
 
     public static <T> PowerResultDTO<T> f(Throwable t) {
-        return f(ExceptionUtils.getStackTrace(t));
+        PowerResultDTO<T> f = f(ExceptionUtils.getStackTrace(t));
+        f.setCode(ErrorCodes.SYSTEM_UNKNOWN_ERROR.getCode());
+        return f;
+    }
+
+    public static <T> PowerResultDTO<T> f(PowerJobException pje) {
+        PowerResultDTO<T> f = f(pje.getMessage());
+        f.setCode(pje.getCode());
+        return f;
     }
 
 }
diff --git a/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/common/PowerJobAuthException.java b/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/common/PowerJobAuthException.java
index 024dd15f..2b2862e0 100644
--- a/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/common/PowerJobAuthException.java
+++ b/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/common/PowerJobAuthException.java
@@ -1,6 +1,7 @@
 package tech.powerjob.server.auth.common;
 
 import lombok.Getter;
+import tech.powerjob.common.enums.ErrorCodes;
 import tech.powerjob.common.exception.PowerJobException;
 
 /**
@@ -12,12 +13,11 @@ import tech.powerjob.common.exception.PowerJobException;
 @Getter
 public class PowerJobAuthException extends PowerJobException {
 
-    public PowerJobAuthException(AuthErrorCode errorCode) {
+    public PowerJobAuthException(ErrorCodes errorCode) {
         this(errorCode, null);
     }
 
-    public PowerJobAuthException(AuthErrorCode errorCode, String extraMsg) {
-        super(extraMsg == null ? errorCode.getMsg() : errorCode.getMsg().concat(":").concat(extraMsg));
-        this.code = errorCode.getCode();
+    public PowerJobAuthException(ErrorCodes errorCode, String extraMsg) {
+        super(errorCode, extraMsg);
     }
 }
diff --git a/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/interceptor/PowerJobAuthInterceptor.java b/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/interceptor/PowerJobAuthInterceptor.java
index 6774fcad..f88d99ee 100644
--- a/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/interceptor/PowerJobAuthInterceptor.java
+++ b/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/interceptor/PowerJobAuthInterceptor.java
@@ -13,7 +13,7 @@ import tech.powerjob.server.auth.LoginUserHolder;
 import tech.powerjob.server.auth.Permission;
 import tech.powerjob.server.auth.PowerJobUser;
 import tech.powerjob.server.auth.RoleScope;
-import tech.powerjob.server.auth.common.AuthErrorCode;
+import tech.powerjob.common.enums.ErrorCodes;
 import tech.powerjob.server.auth.common.PowerJobAuthException;
 import tech.powerjob.server.auth.common.utils.HttpServletUtils;
 import tech.powerjob.server.auth.service.login.PowerJobLoginService;
@@ -59,7 +59,7 @@ public class PowerJobAuthInterceptor implements HandlerInterceptor {
 
         // 未登录直接报错，返回固定状态码，前端拦截后跳转到登录页
         if (!loginUserOpt.isPresent()) {
-            throw new PowerJobAuthException(AuthErrorCode.USER_NOT_LOGIN);
+            throw new PowerJobAuthException(ErrorCodes.USER_NOT_LOGIN);
         }
 
         // 登陆用户进行权限校验
diff --git a/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/login/impl/PwjbAccountLoginService.java b/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/login/impl/PwjbAccountLoginService.java
index 024d273d..7e46a844 100644
--- a/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/login/impl/PwjbAccountLoginService.java
+++ b/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/login/impl/PwjbAccountLoginService.java
@@ -6,7 +6,7 @@ import org.springframework.stereotype.Service;
 import tech.powerjob.common.exception.PowerJobException;
 import tech.powerjob.common.serialize.JsonUtils;
 import tech.powerjob.server.auth.common.AuthConstants;
-import tech.powerjob.server.auth.common.AuthErrorCode;
+import tech.powerjob.common.enums.ErrorCodes;
 import tech.powerjob.server.auth.common.PowerJobAuthException;
 import tech.powerjob.server.auth.login.*;
 import tech.powerjob.server.common.Loggers;
@@ -64,13 +64,13 @@ public class PwjbAccountLoginService implements ThirdPartyLoginService {
 
         if (StringUtils.isAnyEmpty(username, password)) {
             Loggers.WEB.debug("[PowerJobLoginService] username or password is empty, login failed!");
-            throw new PowerJobAuthException(AuthErrorCode.INVALID_REQUEST);
+            throw new PowerJobAuthException(ErrorCodes.INVALID_REQUEST);
         }
 
         final Optional<PwjbUserInfoDO> userInfoOpt = pwjbUserInfoRepository.findByUsername(username);
         if (!userInfoOpt.isPresent()) {
             Loggers.WEB.debug("[PowerJobLoginService] can't find user by username: {}", username);
-            throw new PowerJobAuthException(AuthErrorCode.USER_NOT_EXIST);
+            throw new PowerJobAuthException(ErrorCodes.USER_NOT_EXIST);
         }
 
         final PwjbUserInfoDO dbUser = userInfoOpt.get();
diff --git a/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/service/login/impl/PowerJobLoginServiceImpl.java b/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/service/login/impl/PowerJobLoginServiceImpl.java
index f5642ef0..23cba78d 100644
--- a/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/service/login/impl/PowerJobLoginServiceImpl.java
+++ b/powerjob-server/powerjob-server-auth/src/main/java/tech/powerjob/server/auth/service/login/impl/PowerJobLoginServiceImpl.java
@@ -14,7 +14,7 @@ import tech.powerjob.common.serialize.JsonUtils;
 import tech.powerjob.server.auth.LoginUserHolder;
 import tech.powerjob.server.auth.PowerJobUser;
 import tech.powerjob.server.auth.common.AuthConstants;
-import tech.powerjob.server.auth.common.AuthErrorCode;
+import tech.powerjob.common.enums.ErrorCodes;
 import tech.powerjob.server.auth.common.PowerJobAuthException;
 import tech.powerjob.server.auth.common.utils.HttpServletUtils;
 import tech.powerjob.server.auth.jwt.JwtService;
@@ -145,7 +145,7 @@ public class PowerJobLoginServiceImpl implements PowerJobLoginService {
 
         Optional<UserInfoDO> dbUserInfoOpt = userInfoRepository.findByUsername(jwtBody.getUsername());
         if (!dbUserInfoOpt.isPresent()) {
-            throw new PowerJobAuthException(AuthErrorCode.USER_NOT_EXIST);
+            throw new PowerJobAuthException(ErrorCodes.USER_NOT_EXIST);
         }
 
         UserInfoDO dbUser = dbUserInfoOpt.get();
@@ -160,14 +160,14 @@ public class PowerJobLoginServiceImpl implements PowerJobLoginService {
         // DB 中的 encryptedToken 存在，代表需要二次校验
         if (StringUtils.isNotEmpty(tokenLoginVerifyInfo.getEncryptedToken())) {
             if (!StringUtils.equals(jwtBody.getEncryptedToken(), tokenLoginVerifyInfo.getEncryptedToken())) {
-                throw new PowerJobAuthException(AuthErrorCode.INVALID_TOKEN);
+                throw new PowerJobAuthException(ErrorCodes.INVALID_TOKEN);
             }
 
             ThirdPartyLoginService thirdPartyLoginService = code2ThirdPartyLoginService.get(dbUser.getAccountType());
             boolean tokenLoginVerifyOk = thirdPartyLoginService.tokenLoginVerify(dbUser.getOriginUsername(), tokenLoginVerifyInfo);
 
             if (!tokenLoginVerifyOk) {
-                throw new PowerJobAuthException(AuthErrorCode.USER_AUTH_FAILED);
+                throw new PowerJobAuthException(ErrorCodes.USER_AUTH_FAILED);
             }
         }
 
@@ -186,14 +186,14 @@ public class PowerJobLoginServiceImpl implements PowerJobLoginService {
     private void checkUserStatus(UserInfoDO dbUser) {
         int accountStatus = Optional.ofNullable(dbUser.getStatus()).orElse(SwitchableStatus.ENABLE.getV());
         if (accountStatus == SwitchableStatus.DISABLE.getV()) {
-            throw new PowerJobAuthException(AuthErrorCode.USER_DISABLED);
+            throw new PowerJobAuthException(ErrorCodes.USER_DISABLED);
         }
     }
 
     private ThirdPartyLoginService fetchBizLoginService(String loginType) {
         final ThirdPartyLoginService loginService = code2ThirdPartyLoginService.get(loginType);
         if (loginService == null) {
-            throw new PowerJobAuthException(AuthErrorCode.INVALID_REQUEST, "can't find ThirdPartyLoginService by type: " + loginType);
+            throw new PowerJobAuthException(ErrorCodes.INVALID_REQUEST, "can't find ThirdPartyLoginService by type: " + loginType);
         }
         return loginService;
     }
diff --git a/powerjob-server/powerjob-server-core/src/main/java/tech/powerjob/server/core/service/AppInfoService.java b/powerjob-server/powerjob-server-core/src/main/java/tech/powerjob/server/core/service/AppInfoService.java
index ff2fffaf..b4a19adc 100644
--- a/powerjob-server/powerjob-server-core/src/main/java/tech/powerjob/server/core/service/AppInfoService.java
+++ b/powerjob-server/powerjob-server-core/src/main/java/tech/powerjob/server/core/service/AppInfoService.java
@@ -20,7 +20,7 @@ public interface AppInfoService {
      */
     Long assertApp(String appName, String password);
 
-    Long assertAppWithEncryptedPassword(String appName, String encryptedPassword);
+    Optional<AppInfoDO> findByAppName(String appName);
 
     /**
      * 获取 AppInfo（带缓存）
diff --git a/powerjob-server/powerjob-server-core/src/main/java/tech/powerjob/server/core/service/impl/AppInfoServiceImpl.java b/powerjob-server/powerjob-server-core/src/main/java/tech/powerjob/server/core/service/impl/AppInfoServiceImpl.java
index df715075..f94d995f 100644
--- a/powerjob-server/powerjob-server-core/src/main/java/tech/powerjob/server/core/service/impl/AppInfoServiceImpl.java
+++ b/powerjob-server/powerjob-server-core/src/main/java/tech/powerjob/server/core/service/impl/AppInfoServiceImpl.java
@@ -6,7 +6,6 @@ import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Service;
 import tech.powerjob.common.exception.PowerJobException;
-import tech.powerjob.common.utils.DigestUtils;
 import tech.powerjob.server.core.service.AppInfoService;
 import tech.powerjob.server.persistence.remote.model.AppInfoDO;
 import tech.powerjob.server.persistence.remote.repository.AppInfoRepository;
@@ -51,12 +50,8 @@ public class AppInfoServiceImpl implements AppInfoService {
     }
 
     @Override
-    public Long assertAppWithEncryptedPassword(String appName, String encryptedPassword) {
-        AppInfoDO appInfo = appInfoRepository.findByAppName(appName).orElseThrow(() -> new PowerJobException("can't find appInfo by appName: " + appName));
-        if (Objects.equals(DigestUtils.md5(appInfo.getPassword()), encryptedPassword)) {
-            return appInfo.getId();
-        }
-        throw new PowerJobException("password error!");
+    public Optional<AppInfoDO> findByAppName(String appName) {
+        return appInfoRepository.findByAppName(appName);
     }
 
     @Override
diff --git a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/auth/service/impl/WebAuthServiceImpl.java b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/auth/service/impl/WebAuthServiceImpl.java
index d43cd651..42f6def9 100644
--- a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/auth/service/impl/WebAuthServiceImpl.java
+++ b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/auth/service/impl/WebAuthServiceImpl.java
@@ -8,7 +8,7 @@ import org.springframework.stereotype.Service;
 import tech.powerjob.common.serialize.JsonUtils;
 import tech.powerjob.server.auth.*;
 import tech.powerjob.server.auth.common.AuthConstants;
-import tech.powerjob.server.auth.common.AuthErrorCode;
+import tech.powerjob.common.enums.ErrorCodes;
 import tech.powerjob.server.auth.common.PowerJobAuthException;
 import tech.powerjob.server.auth.service.WebAuthService;
 import tech.powerjob.server.auth.service.permission.PowerJobPermissionService;
@@ -35,7 +35,7 @@ public class WebAuthServiceImpl implements WebAuthService {
     public void grantRole2LoginUser(RoleScope roleScope, Long target, Role role, String extra) {
         Long userId = LoginUserHolder.getUserId();
         if (userId == null) {
-            throw new PowerJobAuthException(AuthErrorCode.USER_NOT_LOGIN);
+            throw new PowerJobAuthException(ErrorCodes.USER_NOT_LOGIN);
         }
         powerJobPermissionService.grantRole(roleScope, target, userId, role, extra);
     }
@@ -82,7 +82,7 @@ public class WebAuthServiceImpl implements WebAuthService {
 
         PowerJobUser powerJobUser = LoginUserHolder.get();
         if (powerJobUser == null) {
-            throw new PowerJobAuthException(AuthErrorCode.USER_NOT_LOGIN);
+            throw new PowerJobAuthException(ErrorCodes.USER_NOT_LOGIN);
         }
 
         // 展示不考虑穿透权限的问题（即拥有 namespace 权限也可以看到全部的 apps）
diff --git a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/config/WebConfig.java b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/config/WebConfig.java
index 28427a0e..b16f2017 100644
--- a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/config/WebConfig.java
+++ b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/config/WebConfig.java
@@ -7,7 +7,9 @@ import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
 import org.springframework.web.socket.config.annotation.EnableWebSocket;
 import org.springframework.web.socket.server.standard.ServerEndpointExporter;
+import tech.powerjob.common.OpenAPIConstant;
 import tech.powerjob.server.auth.interceptor.PowerJobAuthInterceptor;
+import tech.powerjob.server.openapi.OpenApiInterceptor;
 
 import javax.annotation.Resource;
 
@@ -21,6 +23,8 @@ import javax.annotation.Resource;
 @EnableWebSocket
 public class WebConfig implements WebMvcConfigurer {
 
+    @Resource
+    private OpenApiInterceptor openApiInterceptor;
     @Resource
     private PowerJobAuthInterceptor powerJobAuthInterceptor;
 
@@ -48,5 +52,9 @@ public class WebConfig implements WebMvcConfigurer {
                 .addPathPatterns("/**")
                 .excludePathPatterns("/css/**", "/js/**", "/images/**", "/img/**", "/fonts/**", "/favicon.ico")
                 .order(0);
+
+        registry.addInterceptor(openApiInterceptor)
+                .addPathPatterns(OpenAPIConstant.WEB_PATH.concat("/**"))
+                .order(1);
     }
 }
diff --git a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/OpenAPIController.java b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/OpenAPIController.java
index d3e94324..157ce224 100644
--- a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/OpenAPIController.java
+++ b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/OpenAPIController.java
@@ -1,12 +1,16 @@
 package tech.powerjob.server.openapi;
 
 import lombok.RequiredArgsConstructor;
+import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.lang3.exception.ExceptionUtils;
 import org.springframework.web.bind.annotation.*;
 import tech.powerjob.client.module.AppAuthRequest;
 import tech.powerjob.client.module.AppAuthResult;
 import tech.powerjob.common.OpenAPIConstant;
 import tech.powerjob.common.PowerQuery;
+import tech.powerjob.common.enums.ErrorCodes;
 import tech.powerjob.common.enums.InstanceStatus;
+import tech.powerjob.common.exception.PowerJobException;
 import tech.powerjob.common.request.http.SaveJobInfoRequest;
 import tech.powerjob.common.request.http.SaveWorkflowNodeRequest;
 import tech.powerjob.common.request.http.SaveWorkflowRequest;
@@ -31,6 +35,7 @@ import java.util.List;
  * @author tjq
  * @since 2020/4/15
  */
+@Slf4j
 @RestController
 @RequestMapping(OpenAPIConstant.WEB_PATH)
 @RequiredArgsConstructor
@@ -63,7 +68,20 @@ public class OpenAPIController {
      */
     @PostMapping(OpenAPIConstant.AUTH_APP)
     public PowerResultDTO<AppAuthResult> auth(@RequestBody AppAuthRequest appAuthRequest) {
-        return PowerResultDTO.s(openApiSecurityService.authAppByParam(appAuthRequest));
+        try {
+            return PowerResultDTO.s(openApiSecurityService.authAppByParam(appAuthRequest));
+        } catch (PowerJobException pje) {
+            PowerResultDTO<AppAuthResult> f = PowerResultDTO.f(pje.getMessage());
+            f.setCode(pje.getCode());
+            return f;
+        } catch (Throwable t) {
+
+            log.error("[OpenAPIController] auth failed for request: {}", appAuthRequest, t);
+
+            PowerResultDTO<AppAuthResult> f = PowerResultDTO.f(ExceptionUtils.getMessage(t));
+            f.setCode(ErrorCodes.SYSTEM_UNKNOWN_ERROR.getCode());
+            return f;
+        }
     }
 
     /* ************* Job 区 ************* */
diff --git a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/OpenApiInterceptor.java b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/OpenApiInterceptor.java
index 18909450..3622f3c2 100644
--- a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/OpenApiInterceptor.java
+++ b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/OpenApiInterceptor.java
@@ -1,15 +1,20 @@
 package tech.powerjob.server.openapi;
 
+import lombok.SneakyThrows;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.lang.NonNull;
 import org.springframework.stereotype.Component;
 import org.springframework.web.servlet.HandlerInterceptor;
+import tech.powerjob.common.exception.PowerJobException;
+import tech.powerjob.common.response.PowerResultDTO;
+import tech.powerjob.common.serialize.JsonUtils;
 import tech.powerjob.server.openapi.security.OpenApiSecurityService;
 
 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import java.io.PrintWriter;
 
 /**
  * OpenAPI 拦截器
@@ -38,9 +43,33 @@ public class OpenApiInterceptor implements HandlerInterceptor {
             return true;
         }
 
-        openApiSecurityService.authAppByToken(request);
+        try {
+            openApiSecurityService.authAppByToken(request);
+        } catch (PowerJobException pje) {
+            PowerResultDTO<Object> ret = PowerResultDTO.f(pje);
+            writeResponse(JsonUtils.toJSONString(ret), response);
+            return false;
+        } catch (Exception e) {
+            PowerResultDTO<Object> ret = PowerResultDTO.f(e);
+            writeResponse(JsonUtils.toJSONString(ret), response);
+            return false;
+        }
 
         return true;
     }
 
+    @SneakyThrows
+    private void writeResponse(String content, HttpServletResponse response) {
+        // 设置响应状态码，通常是 400, 401, 403 等错误码
+        response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+
+        // 设置响应的 Content-Type
+        response.setContentType("application/json;charset=UTF-8");
+
+        // 将 JSON 写入响应
+        PrintWriter writer = response.getWriter();
+        writer.write(content);
+        writer.flush();
+    }
+
 }
diff --git a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/security/OpenApiSecurityServiceImpl.java b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/security/OpenApiSecurityServiceImpl.java
index bfb31e98..26264edc 100644
--- a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/security/OpenApiSecurityServiceImpl.java
+++ b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/openapi/security/OpenApiSecurityServiceImpl.java
@@ -8,17 +8,19 @@ import org.springframework.stereotype.Service;
 import tech.powerjob.client.module.AppAuthRequest;
 import tech.powerjob.client.module.AppAuthResult;
 import tech.powerjob.common.OpenAPIConstant;
-import tech.powerjob.server.auth.common.AuthErrorCode;
+import tech.powerjob.common.exception.PowerJobException;
+import tech.powerjob.common.utils.DigestUtils;
+import tech.powerjob.common.enums.ErrorCodes;
 import tech.powerjob.server.auth.common.PowerJobAuthException;
 import tech.powerjob.server.auth.common.utils.HttpServletUtils;
 import tech.powerjob.server.auth.jwt.JwtService;
-import tech.powerjob.common.utils.DigestUtils;
 import tech.powerjob.server.core.service.AppInfoService;
 import tech.powerjob.server.persistence.remote.model.AppInfoDO;
 
 import javax.annotation.Resource;
 import javax.servlet.http.HttpServletRequest;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Optional;
 
 /**
@@ -46,11 +48,11 @@ public class OpenApiSecurityServiceImpl implements OpenApiSecurityService {
         String appIdFromHeader = HttpServletUtils.fetchFromHeader(OpenAPIConstant.HEADER_APP_ID, httpServletRequest);
 
         if (StringUtils.isEmpty(appIdFromHeader)) {
-            throw new IllegalArgumentException("can't find appId in HTTP header");
+            throw new PowerJobException(ErrorCodes.INVALID_REQUEST, "lack_of_appId_in_header");
         }
 
         if (StringUtils.isEmpty(token)) {
-            throw new PowerJobAuthException(AuthErrorCode.OPEN_API_AUTH_FAILED);
+            throw new PowerJobException(ErrorCodes.OPEN_API_AUTH_FAILED, "token_is_empty");
         }
 
         Map<String, Object> jwtResult = jwtService.parse(token, null);
@@ -60,18 +62,18 @@ public class OpenApiSecurityServiceImpl implements OpenApiSecurityService {
 
         // 校验 appId 一致性
         if (!StringUtils.equals(appIdFromHeader, String.valueOf(appIdFromJwt))) {
-            throw new IllegalArgumentException("Inconsistent appId from header and token");
+            throw new PowerJobException(ErrorCodes.INVALID_REQUEST, "Inconsistent_appId_from_token_and_header");
         }
 
         // 此处不考虑改密码后的缓存时间，毕竟只要改了密码，一定会报错。换言之 OpenAPI 模式下，密码不可更改
         Optional<AppInfoDO> appInfoOpt = appInfoService.findByIdWithCache(appIdFromJwt);
         if (!appInfoOpt.isPresent()) {
-            throw new IllegalArgumentException("can't find app by appId: " + appIdFromJwt);
+            throw new PowerJobException(ErrorCodes.INVALID_APP, "can_not_find_app");
         }
 
         String dbOriginPassword = appInfoOpt.get().getPassword();
         if (!StringUtils.equals(passwordFromJwt, DigestUtils.md5(dbOriginPassword))) {
-            throw new PowerJobAuthException(AuthErrorCode.OPEN_API_AUTH_FAILED);
+            throw new PowerJobException(ErrorCodes.OPEN_API_PASSWORD_ERROR, "password_compare_failed");
         }
     }
 
@@ -82,15 +84,25 @@ public class OpenApiSecurityServiceImpl implements OpenApiSecurityService {
         String appName = appAuthRequest.getAppName();
         String encryptedPassword = appAuthRequest.getEncryptedPassword();
 
-        Long appId = appInfoService.assertAppWithEncryptedPassword(appName, encryptedPassword);
+        Optional<AppInfoDO> appInfoOpt = appInfoService.findByAppName(appName);
+        if (!appInfoOpt.isPresent()) {
+            throw new PowerJobAuthException(ErrorCodes.INVALID_APP);
+        }
+
+        AppInfoDO appInfo = appInfoOpt.get();
+
+        // 密码验证失败
+        if (!Objects.equals(DigestUtils.md5(appInfo.getPassword()), encryptedPassword)) {
+            throw new PowerJobAuthException(ErrorCodes.OPEN_API_PASSWORD_ERROR);
+        }
 
         Map<String, Object> jwtBody = Maps.newHashMap();
-        jwtBody.put(JWT_KEY_APP_ID, appId);
+        jwtBody.put(JWT_KEY_APP_ID, appInfo.getId());
         jwtBody.put(JWT_KEY_APP_PASSWORD, encryptedPassword);
 
         AppAuthResult appAuthResult = new AppAuthResult();
 
-        appAuthResult.setAppId(appId);
+        appAuthResult.setAppId(appInfo.getId());
         appAuthResult.setToken(jwtService.build(jwtBody, null));
 
         return appAuthResult;
diff --git a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/AppInfoController.java b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/AppInfoController.java
index 29d124c8..27b6dd91 100644
--- a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/AppInfoController.java
+++ b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/AppInfoController.java
@@ -22,7 +22,7 @@ import tech.powerjob.server.auth.Permission;
 import tech.powerjob.server.auth.Role;
 import tech.powerjob.server.auth.RoleScope;
 import tech.powerjob.server.auth.common.AuthConstants;
-import tech.powerjob.server.auth.common.AuthErrorCode;
+import tech.powerjob.common.enums.ErrorCodes;
 import tech.powerjob.server.auth.common.PowerJobAuthException;
 import tech.powerjob.server.auth.interceptor.ApiPermission;
 import tech.powerjob.server.auth.plugin.ModifyOrCreateDynamicPermission;
@@ -193,7 +193,7 @@ public class AppInfoController {
             throw new IllegalArgumentException("can't find app by appName: " + appName);
         }
         if (!StringUtils.equals(appInfoOpt.get().getPassword(), appAssertRequest.getPassword())) {
-            throw new PowerJobAuthException(AuthErrorCode.INCORRECT_PASSWORD);
+            throw new PowerJobAuthException(ErrorCodes.INCORRECT_PASSWORD);
         }
 
         Map<String, Object> extra = Maps.newHashMap();
diff --git a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/UserInfoController.java b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/UserInfoController.java
index 53114259..1410f183 100644
--- a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/UserInfoController.java
+++ b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/controller/UserInfoController.java
@@ -15,7 +15,7 @@ import tech.powerjob.server.auth.Permission;
 import tech.powerjob.server.auth.PowerJobUser;
 import tech.powerjob.server.auth.Role;
 import tech.powerjob.server.auth.RoleScope;
-import tech.powerjob.server.auth.common.AuthErrorCode;
+import tech.powerjob.common.enums.ErrorCodes;
 import tech.powerjob.server.auth.common.PowerJobAuthException;
 import tech.powerjob.server.auth.interceptor.ApiPermission;
 import tech.powerjob.server.auth.service.WebAuthService;
@@ -133,7 +133,7 @@ public class UserInfoController {
     public ResultDTO<UserDetailVO> getUserDetail(HttpServletRequest httpServletRequest) {
         Optional<PowerJobUser> powerJobUserOpt = powerJobLoginService.ifLogin(httpServletRequest);
         if (!powerJobUserOpt.isPresent()) {
-            throw new PowerJobAuthException(AuthErrorCode.USER_NOT_LOGIN);
+            throw new PowerJobAuthException(ErrorCodes.USER_NOT_LOGIN);
         }
         Optional<UserInfoDO> userinfoDoOpt = userInfoRepository.findById(powerJobUserOpt.get().getId());
         if (!userinfoDoOpt.isPresent()) {
@@ -226,7 +226,7 @@ public class UserInfoController {
     private void checkModifyUserPermission(Long uid, HttpServletRequest httpServletRequest) {
         Optional<PowerJobUser> powerJobUserOpt = powerJobLoginService.ifLogin(httpServletRequest);
         if (!powerJobUserOpt.isPresent()) {
-            throw new PowerJobAuthException(AuthErrorCode.USER_NOT_LOGIN);
+            throw new PowerJobAuthException(ErrorCodes.USER_NOT_LOGIN);
         }
         PowerJobUser currentLoginUser = powerJobUserOpt.get();
 
diff --git a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/service/impl/PwjbUserWebServiceImplImpl.java b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/service/impl/PwjbUserWebServiceImplImpl.java
index 0aa193b1..356ff200 100644
--- a/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/service/impl/PwjbUserWebServiceImplImpl.java
+++ b/powerjob-server/powerjob-server-starter/src/main/java/tech/powerjob/server/web/service/impl/PwjbUserWebServiceImplImpl.java
@@ -6,7 +6,7 @@ import org.apache.commons.lang3.StringUtils;
 import org.springframework.stereotype.Service;
 import tech.powerjob.common.serialize.JsonUtils;
 import tech.powerjob.common.utils.CommonUtils;
-import tech.powerjob.server.auth.common.AuthErrorCode;
+import tech.powerjob.common.enums.ErrorCodes;
 import tech.powerjob.server.auth.common.PowerJobAuthException;
 import tech.powerjob.common.utils.DigestUtils;
 import tech.powerjob.server.persistence.remote.model.PwjbUserInfoDO;
@@ -84,7 +84,7 @@ public class PwjbUserWebServiceImplImpl implements PwjbUserWebService {
         String oldPasswordInDb = dbUser.getPassword();
         String oldPasswordInReq = DigestUtils.rePassword(changePasswordRequest.getOldPassword(), dbUser.getUsername());
         if (!StringUtils.equals(oldPasswordInDb, oldPasswordInReq)) {
-            throw new PowerJobAuthException(AuthErrorCode.INCORRECT_PASSWORD);
+            throw new PowerJobAuthException(ErrorCodes.INCORRECT_PASSWORD);
         }
 
         // 测试账号特殊处理