diff --git a/src/services/apiKeyService.js b/src/services/apiKeyService.js
index 64f1de6a..a7832731 100644
--- a/src/services/apiKeyService.js
+++ b/src/services/apiKeyService.js
@@ -126,6 +126,20 @@ class ApiKeyService {
         return { valid: false, error: 'API key has expired' }
       }
 
+      // 如果API Key属于某个用户，检查用户是否被禁用
+      if (keyData.userId) {
+        try {
+          const userService = require('./userService')
+          const user = await userService.getUserById(keyData.userId, false)
+          if (!user || !user.isActive) {
+            return { valid: false, error: 'User account is disabled' }
+          }
+        } catch (error) {
+          logger.error('❌ Error checking user status during API key validation:', error)
+          return { valid: false, error: 'Unable to validate user status' }
+        }
+      }
+
       // 获取使用统计（供返回数据使用）
       const usage = await redis.getUsageStats(keyData.id)
 
diff --git a/src/services/userService.js b/src/services/userService.js
index 3ee4303e..601d6419 100644
--- a/src/services/userService.js
+++ b/src/services/userService.js
@@ -259,9 +259,18 @@ class UserService {
       await redis.set(`${this.userPrefix}${userId}`, JSON.stringify(user))
       logger.info(`🔄 Updated user status: ${user.username} -> ${isActive ? 'active' : 'disabled'}`)
 
-      // 如果禁用用户，删除所有会话
+      // 如果禁用用户，删除所有会话并禁用其所有API Keys
       if (!isActive) {
         await this.invalidateUserSessions(userId)
+
+        // Disable all user's API keys when user is disabled
+        try {
+          const apiKeyService = require('./apiKeyService')
+          const result = await apiKeyService.disableUserApiKeys(userId)
+          logger.info(`🔑 Disabled ${result.count} API keys for disabled user: ${user.username}`)
+        } catch (error) {
+          logger.error('❌ Error disabling user API keys during user disable:', error)
+        }
       }
 
       return user
@@ -420,6 +429,15 @@ class UserService {
       // 删除所有会话
       await this.invalidateUserSessions(userId)
 
+      // Disable all user's API keys when user is deleted
+      try {
+        const apiKeyService = require('./apiKeyService')
+        const result = await apiKeyService.disableUserApiKeys(userId)
+        logger.info(`🔑 Disabled ${result.count} API keys for deleted user: ${user.username}`)
+      } catch (error) {
+        logger.error('❌ Error disabling user API keys during user deletion:', error)
+      }
+
       logger.info(`🗑️ Soft deleted user: ${user.username} (${userId})`)
       return user
     } catch (error) {