diff --git a/src/Fengling.AuthService/README.md b/src/Fengling.AuthService/README.md
new file mode 100644
index 0000000..dadefbc
--- /dev/null
+++ b/src/Fengling.AuthService/README.md
@@ -0,0 +1,61 @@
+# Fengling Auth Service
+
+Authentication and authorization service using OpenIddict.
+
+## Features
+
+- JWT token issuance
+- OAuth2/OIDC support
+- Multi-tenant support (TenantId in JWT claims)
+- Role-based access control (RBAC)
+- Health check endpoint
+
+## API Endpoints
+
+### Get Token
+```
+POST /connect/token
+Content-Type: application/x-www-form-urlencoded
+
+grant_type=password
+username={username}
+password={password}
+scope=api offline_access
+```
+
+### Health Check
+```
+GET /health
+```
+
+## Default Users
+
+- **Admin**: username=admin, password=Admin@123, role=Admin
+- **Test User**: username=testuser, password=Test@123, role=User
+
+## Running Locally
+
+```bash
+dotnet run
+```
+
+Service runs on port 5000.
+
+## Docker
+
+```bash
+docker build -t fengling-auth:latest .
+docker run -p 5000:80 fengling-auth:latest
+```
+
+## Environment Variables
+
+- `ConnectionStrings__DefaultConnection`: PostgreSQL connection string
+- `OpenIddict__Issuer`: Token issuer URL
+- `OpenIddict__Audience`: Token audience
+
+## Database
+
+- PostgreSQL
+- Uses ASP.NET Core Identity for user/role management
+- Tenant isolation via `TenantId` column