diff --git a/src/Meezi.Admin.API/Services/AdminAuthService.cs b/src/Meezi.Admin.API/Services/AdminAuthService.cs
index 430b91c..ec21b01 100644
--- a/src/Meezi.Admin.API/Services/AdminAuthService.cs
+++ b/src/Meezi.Admin.API/Services/AdminAuthService.cs
@@ -77,7 +77,10 @@ public class AdminAuthService : IAdminAuthService
 
         var redis = _redis.GetDatabase();
         var maxAttempts = _configuration.GetValue("Auth:MaxOtpAttemptsPerHour", DefaultMaxOtpAttemptsPerHour);
-        var attemptsKey = $"otp:admin:{phone}";
+        // MUST differ from the OTP value key ($"otp:admin:{phone}") — sharing one
+        // key made the rate-limit INCR overwrite the stored OTP (337835 → 337836),
+        // so every admin OTP verification failed. Mirror the main API's split keys.
+        var attemptsKey = $"otp:admin:attempts:{phone}";
         if (maxAttempts > 0)
         {
             var attempts = await redis.StringGetAsync(attemptsKey);