diff --git a/gateway/src/IntegrationGateway.Adapters.Kms/KmsAuthHelper.cs b/gateway/src/IntegrationGateway.Adapters.Kms/KmsAuthHelper.cs
new file mode 100644
index 0000000..8f39c9c
--- /dev/null
+++ b/gateway/src/IntegrationGateway.Adapters.Kms/KmsAuthHelper.cs
@@ -0,0 +1,70 @@
+using System.Net.Http.Json;
+using System.Text.Json;
+
+namespace IntegrationGateway.Adapters.Kms;
+
+/// <summary>
+/// KMS Bearer Token 认证辅助。
+/// 认证流程: POST /prod-api/getToken?clientId=x&clientSecret=y → { code:200, token:"xxx" }
+/// Token 缓存 25 分钟（KMS 有效期 30 分钟，留 5 分钟余量）。
+/// </summary>
+public class KmsAuthHelper
+{
+    private readonly HttpClient _http;
+    private readonly string _baseUrl;
+    private readonly string _clientId;
+    private readonly string _clientSecret;
+    private string? _token;
+    private DateTime _tokenExpiry = DateTime.MinValue;
+
+    /// <summary>
+    /// 创建 KMS 认证辅助
+    /// </summary>
+    /// <param name="http">HttpClient 实例</param>
+    /// <param name="baseUrl">KMS 服务地址</param>
+    /// <param name="clientId">KMS 客户端 ID</param>
+    /// <param name="clientSecret">KMS 客户端密钥</param>
+    public KmsAuthHelper(HttpClient http, string baseUrl, string clientId, string clientSecret)
+    {
+        _http = http;
+        _baseUrl = baseUrl.TrimEnd('/');
+        _clientId = clientId;
+        _clientSecret = clientSecret;
+    }
+
+    /// <summary>
+    /// 获取有效的 Bearer Token。缓存有效则直接返回，否则重新获取。
+    /// </summary>
+    public async Task<string> GetTokenAsync()
+    {
+        if (!string.IsNullOrEmpty(_token) && DateTime.UtcNow < _tokenExpiry)
+            return _token;
+
+        var url = $"{_baseUrl}/prod-api/getToken?clientId={Uri.EscapeDataString(_clientId)}&clientSecret={Uri.EscapeDataString(_clientSecret)}";
+        var resp = await _http.PostAsync(url, null);
+        resp.EnsureSuccessStatusCode();
+
+        var result = await resp.Content.ReadFromJsonAsync<KmsTokenResponse>()
+            ?? throw new Exception("KMS Token 响应为空");
+        if (result.Code != 200)
+            throw new Exception($"KMS 认证失败: code={result.Code}");
+
+        _token = result.Token;
+        _tokenExpiry = DateTime.UtcNow.AddMinutes(25);
+        return _token;
+    }
+
+    /// <summary>
+    /// 创建一个已认证的 HttpClient，自动附带 Authorization: Bearer 头。
+    /// </summary>
+    public async Task<HttpClient> GetAuthenticatedClientAsync()
+    {
+        var token = await GetTokenAsync();
+        var client = new HttpClient { BaseAddress = new Uri(_baseUrl) };
+        client.DefaultRequestHeaders.Add("Authorization", $"Bearer {token}");
+        return client;
+    }
+
+    /// <summary>强制清除缓存的 Token，下次调用 GetTokenAsync 将重新登录</summary>
+    public void Invalidate() => _token = null;
+}