diff --git a/shenyu-admin/src/http/http-debug-app-auth-controller-api.http b/shenyu-admin/src/http/http-debug-app-auth-controller-api.http
index be9a97abbc01..2de236d9c1be 100644
--- a/shenyu-admin/src/http/http-debug-app-auth-controller-api.http
+++ b/shenyu-admin/src/http/http-debug-app-auth-controller-api.http
@@ -61,14 +61,14 @@ X-Access-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyTmFtZSI6ImFkbWluIiw
 }
 
 ### updateSk
-GET http://localhost:9095/appAuth/updateSk?appKey=123&appSecret=123
+POST http://localhost:9095/appAuth/updateSk
 Accept: application/json
 Content-Type: application/json
 X-Access-Token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VyTmFtZSI6ImFkbWluIiwiZXhwIjoxNjQ4NjUwMDg2fQ.aDeChT_Ey6FwYDdzSkc9ZLBHd5v-LVUZ6BPcYqJCo-Y
 
 {
-  "id": 123,
-  "name": "order"
+  "appKey": "123",
+  "appSecret": "123"
 }
 
 ### app auth list by page
diff --git a/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/AppAuthController.java b/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/AppAuthController.java
index d96d6839c7d0..ee2ab01cf2b6 100644
--- a/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/AppAuthController.java
+++ b/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/AppAuthController.java
@@ -26,6 +26,7 @@
 import org.apache.shenyu.admin.model.dto.AuthApplyDTO;
 import org.apache.shenyu.admin.model.dto.AuthPathWarpDTO;
 import org.apache.shenyu.admin.model.dto.BatchCommonDTO;
+import org.apache.shenyu.admin.model.dto.UpdateSkDTO;
 import org.apache.shenyu.admin.model.page.CommonPager;
 import org.apache.shenyu.admin.model.page.PageParameter;
 import org.apache.shenyu.admin.model.query.AppAuthQuery;
@@ -33,7 +34,6 @@
 import org.apache.shenyu.admin.model.vo.AppAuthVO;
 import org.apache.shenyu.admin.service.AppAuthService;
 import org.apache.shenyu.admin.service.PageService;
-import org.apache.shenyu.admin.service.provider.AppKeyProvider;
 import org.apache.shenyu.admin.utils.ShenyuResultMessage;
 import org.apache.shenyu.admin.validation.annotation.Existed;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
@@ -78,16 +78,13 @@ public ShenyuAdminResult apply(@Valid @RequestBody final AuthApplyDTO authApplyD
     /**
      * Update sk of App auth.
      *
-     * @param appKey    the app key
-     * @param appSecret the app secret
+     * @param updateSkDTO the update sk dto
      * @return the shenyu result
      */
-    @GetMapping("/updateSk")
-    public ShenyuAdminResult updateSk(@RequestParam("appKey")
-                                      @Existed(message = "app key not existed",
-                                              provider = AppKeyProvider.class) final String appKey,
-                                      @RequestParam("appSecret") final String appSecret) {
-        return appAuthService.updateAppSecretByAppKey(appKey, appSecret);
+    @PostMapping("/updateSk")
+    @RequiresPermissions("system:authen:edit")
+    public ShenyuAdminResult updateSk(@Valid @RequestBody final UpdateSkDTO updateSkDTO) {
+        return appAuthService.updateAppSecretByAppKey(updateSkDTO.getAppKey(), updateSkDTO.getAppSecret());
     }
 
     /**
diff --git a/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/SandboxController.java b/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/SandboxController.java
index b717df6e6f51..a6854eb22ae7 100755
--- a/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/SandboxController.java
+++ b/shenyu-admin/src/main/java/org/apache/shenyu/admin/controller/SandboxController.java
@@ -20,6 +20,7 @@
 import org.apache.shenyu.admin.aspect.annotation.RestApi;
 import org.apache.shenyu.admin.model.dto.ProxyGatewayDTO;
 import org.apache.shenyu.admin.service.SandboxService;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
 
@@ -49,6 +50,7 @@ public SandboxController(final SandboxService sandboxService) {
      * @throws IOException throw io exception
      */
     @PostMapping(path = "/proxyGateway")
+    @RequiresPermissions("system:authen:modify")
     public void proxyGateway(@RequestBody @Valid final ProxyGatewayDTO proxyGatewayDTO,
                             final HttpServletRequest request,
                             final HttpServletResponse response) throws IOException {
diff --git a/shenyu-admin/src/main/java/org/apache/shenyu/admin/model/dto/UpdateSkDTO.java b/shenyu-admin/src/main/java/org/apache/shenyu/admin/model/dto/UpdateSkDTO.java
new file mode 100644
index 000000000000..74d84625c6a5
--- /dev/null
+++ b/shenyu-admin/src/main/java/org/apache/shenyu/admin/model/dto/UpdateSkDTO.java
@@ -0,0 +1,100 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.shenyu.admin.model.dto;
+
+import org.apache.shenyu.admin.service.provider.AppKeyProvider;
+import org.apache.shenyu.admin.validation.annotation.Existed;
+
+import jakarta.validation.constraints.NotBlank;
+import java.io.Serializable;
+import java.util.Objects;
+
+/**
+ * this is update app secret dto.
+ */
+public class UpdateSkDTO implements Serializable {
+
+    private static final long serialVersionUID = -1L;
+
+    /**
+     * application key.
+     */
+    @NotBlank(message = "app key not null")
+    @Existed(message = "app key not existed", provider = AppKeyProvider.class)
+    private String appKey;
+
+    /**
+     * encryption secret.
+     */
+    @NotBlank(message = "app secret not null")
+    private String appSecret;
+
+    /**
+     * Gets the value of appKey.
+     *
+     * @return the value of appKey
+     */
+    public String getAppKey() {
+        return appKey;
+    }
+
+    /**
+     * Sets the appKey.
+     *
+     * @param appKey appKey
+     */
+    public void setAppKey(final String appKey) {
+        this.appKey = appKey;
+    }
+
+    /**
+     * Gets the value of appSecret.
+     *
+     * @return the value of appSecret
+     */
+    public String getAppSecret() {
+        return appSecret;
+    }
+
+    /**
+     * Sets the appSecret.
+     *
+     * @param appSecret appSecret
+     */
+    public void setAppSecret(final String appSecret) {
+        this.appSecret = appSecret;
+    }
+
+    @Override
+    public boolean equals(final Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (!(o instanceof UpdateSkDTO)) {
+            return false;
+        }
+        UpdateSkDTO that = (UpdateSkDTO) o;
+        return Objects.equals(appKey, that.appKey)
+                && Objects.equals(appSecret, that.appSecret);
+    }
+
+    @Override
+    public int hashCode() {
+        return Objects.hash(appKey, appSecret);
+    }
+}
diff --git a/shenyu-admin/src/test/java/org/apache/shenyu/admin/controller/AppAuthControllerTest.java b/shenyu-admin/src/test/java/org/apache/shenyu/admin/controller/AppAuthControllerTest.java
index 14244f643b0c..a793f097a855 100644
--- a/shenyu-admin/src/test/java/org/apache/shenyu/admin/controller/AppAuthControllerTest.java
+++ b/shenyu-admin/src/test/java/org/apache/shenyu/admin/controller/AppAuthControllerTest.java
@@ -27,6 +27,7 @@
 import org.apache.shenyu.admin.model.dto.AuthPathDTO;
 import org.apache.shenyu.admin.model.dto.AuthPathWarpDTO;
 import org.apache.shenyu.admin.model.dto.BatchCommonDTO;
+import org.apache.shenyu.admin.model.dto.UpdateSkDTO;
 import org.apache.shenyu.admin.model.page.CommonPager;
 import org.apache.shenyu.admin.model.page.PageCondition;
 import org.apache.shenyu.admin.model.page.PageParameter;
@@ -36,6 +37,7 @@
 import org.apache.shenyu.admin.model.vo.AppAuthVO;
 import org.apache.shenyu.admin.model.vo.AuthPathVO;
 import org.apache.shenyu.admin.service.AppAuthService;
+import org.apache.shenyu.admin.service.provider.AppKeyProvider;
 import org.apache.shenyu.admin.spring.SpringBeanUtils;
 import org.apache.shenyu.admin.utils.ShenyuResultMessage;
 import org.apache.shenyu.common.constant.AdminConstants;
@@ -186,9 +188,15 @@ public void testApplyWithAppKey() throws Exception {
 
     @Test
     public void testUpdateSk() throws Exception {
-        this.mockMvc.perform(MockMvcRequestBuilders.get("/appAuth/updateSk")
-                .param("appKey", "testAppKey")
-                .param("appSecret", "updateAppSecret"))
+        final UpdateSkDTO updateSkDTO = new UpdateSkDTO();
+        updateSkDTO.setAppKey("testAppKey");
+        updateSkDTO.setAppSecret("updateAppSecret");
+        SpringBeanUtils.getInstance().setApplicationContext(mock(ConfigurableApplicationContext.class));
+        when(SpringBeanUtils.getInstance().getBean(AppKeyProvider.class)).thenReturn(mock(AppKeyProvider.class));
+        when(SpringBeanUtils.getInstance().getBean(AppKeyProvider.class).existed("testAppKey")).thenReturn(true);
+        this.mockMvc.perform(MockMvcRequestBuilders.post("/appAuth/updateSk")
+                .contentType(MediaType.APPLICATION_JSON)
+                .content(GsonUtils.getInstance().toJson(updateSkDTO)))
                 .andExpect(status().isOk())
                 .andReturn();
     }