diff --git a/api/verification/send.go b/api/verification/send.go
index 8672474..69cacdd 100644
--- a/api/verification/send.go
+++ b/api/verification/send.go
@@ -43,6 +43,17 @@ func sendCode(x *vigo.X, req *SendRequest) (*SendResponse, error) {
 		req.Purpose = models.CodePurposeLogin
 	}
 
+	// 验证用途是否合法
+	validPurposes := map[string]bool{
+		models.CodePurposeRegister:      true,
+		models.CodePurposeLogin:         true,
+		models.CodePurposeResetPassword: true,
+		models.CodePurposeBind:          true,
+	}
+	if !validPurposes[req.Purpose] {
+		return nil, vigo.ErrInvalidArg.WithString("invalid purpose")
+	}
+
 	db := cfg.DB()
 
 	// 检查发送频率限制