diff --git a/app/Http/Controllers/Api/AuthController.php b/app/Http/Controllers/Api/AuthController.php
index c35cae4..44e9b92 100644
--- a/app/Http/Controllers/Api/AuthController.php
+++ b/app/Http/Controllers/Api/AuthController.php
@@ -104,7 +104,7 @@ class AuthController extends Controller
         $validated = $request->validate([
             'nickname' => ['required', 'string', 'max:255'],
             'email' => ['required', 'email', 'max:255', 'unique:users,email'],
-            'phone' => ['required', 'string', 'max:32', 'unique:users,phone'],
+            'phone' => ['required', 'string', 'regex:/^1[3-9]\d{9}$/', 'unique:users,phone'],
             'password' => ['required', 'confirmed', Password::min(6)],
         ]);
 
diff --git a/tests/Feature/SsoApiTest.php b/tests/Feature/SsoApiTest.php
index 254a1e2..77c925e 100644
--- a/tests/Feature/SsoApiTest.php
+++ b/tests/Feature/SsoApiTest.php
@@ -4,6 +4,8 @@ namespace Tests\Feature;
 
 use App\Models\User;
 use Illuminate\Foundation\Testing\RefreshDatabase;
+use Spatie\Permission\Models\Permission;
+use Spatie\Permission\Models\Role;
 use Tests\TestCase;
 
 class SsoApiTest extends TestCase
@@ -13,10 +15,14 @@ class SsoApiTest extends TestCase
     public function test_user_can_login_and_get_jwt_token(): void
     {
         $password = 'secret123';
-        User::factory()->create([
+        $user = User::factory()->create([
             'email' => 'admin@example.com',
             'password' => bcrypt($password),
         ]);
+        $role = Role::query()->create(['name' => 'tester', 'guard_name' => 'api']);
+        $permission = Permission::query()->create(['name' => 'platform.dashboard.view', 'guard_name' => 'api']);
+        $role->givePermissionTo($permission);
+        $user->assignRole($role);
 
         $response = $this->postJson('/auth/login', [
             'email' => 'admin@example.com',
@@ -28,4 +34,19 @@ class SsoApiTest extends TestCase
             ->assertJsonPath('code', 0)
             ->assertJsonStructure(['data' => ['token', 'type', 'expires_in']]);
     }
+
+    public function test_apply_account_validates_email_and_phone_format(): void
+    {
+        $response = $this->postJson('/auth/apply-account', [
+            'nickname' => 'Tester',
+            'email' => 'bad-email',
+            'phone' => '12345',
+            'password' => 'secret123',
+            'password_confirmation' => 'secret123',
+        ]);
+
+        $response
+            ->assertStatus(422)
+            ->assertJsonValidationErrors(['email', 'phone']);
+    }
 }