diff --git a/license/crypto.go b/license/crypto.go
index a99ac0d..ea8adec 100644
--- a/license/crypto.go
+++ b/license/crypto.go
@@ -8,6 +8,7 @@ import (
 	"crypto/x509"
 	"encoding/asn1"
 	"encoding/base64"
+	"encoding/pem"
 	"license-server/storage"
 	"math/big"
 )
@@ -70,3 +71,10 @@ func VerifySignature(pub *ecdsa.PublicKey, message []byte, signatureBase64 strin
 func GetPublicKey() *ecdsa.PublicKey {
 	return &privateKey.PublicKey
 }
+
+// ExportPublicKeyPEM 返回 PEM 格式（方便给前端或 CLI 闪存）
+func ExportPublicKeyPEM() string {
+	der, _ := x509.MarshalPKIXPublicKey(&privateKey.PublicKey)
+	pemBlock := &pem.Block{Type: "PUBLIC KEY", Bytes: der}
+	return string(pem.EncodeToMemory(pemBlock))
+}
diff --git a/main.go b/main.go
index f76ddbd..fba58a3 100644
--- a/main.go
+++ b/main.go
@@ -3,6 +3,7 @@ package main
 import (
 	"license-server/license"
 	"license-server/storage"
+	"os"
 	"time"
 
 	"github.com/gofiber/fiber/v2"
@@ -21,6 +22,17 @@ func main() {
 		})
 	})
 
+	// --- 公钥只读接口 ---
+	app.Get("/api/license/public-key", func(c *fiber.Ctx) error {
+		return c.JSON(fiber.Map{
+			"public_key_pem": license.ExportPublicKeyPEM(),
+		})
+	})
+
+	// （可选）启动时把公钥写文件，便于手工分发
+	_ = os.WriteFile("/root/database/public_key.pem",
+		[]byte(license.ExportPublicKeyPEM()), 0644)
+
 	app.Post("/api/license/generate", license.GenerateLicenseHandler(db))
 	app.Post("/api/license/activate", license.ActivateLicenseHandler(db))
 	app.Post("/api/license/validate", license.ValidateLicenseHandler(db))