diff --git a/internal/api/delete_user.go b/internal/api/delete_user.go
index f62b9ec4c..a9a1bb1ca 100644
--- a/internal/api/delete_user.go
+++ b/internal/api/delete_user.go
@@ -46,14 +46,15 @@ type deleteUserReq struct {
 
 // DeleteUser permanently deletes a user account and cleans up associated data.
 // Steps: force-logout → delete friends → quit/kick groups → hard-delete user doc.
-// Only IM admins may call this endpoint.
+// Caller must be the same user as userID, or an IM admin (see CheckAccessV3).
 func (d *DeleteUserApi) DeleteUser(c *gin.Context) {
 	var req deleteUserReq
 	if err := c.ShouldBindJSON(&req); err != nil {
 		apiresp.GinError(c, errs.ErrArgs.WrapMsg(err.Error()))
 		return
 	}
-	if err := authverify.CheckAdmin(c, d.imAdminUserIDs); err != nil {
+	// Only the user themselves (or an IM admin) may delete the account.
+	if err := authverify.CheckAccessV3(c, req.UserID, d.imAdminUserIDs); err != nil {
 		apiresp.GinError(c, err)
 		return
 	}
diff --git a/internal/api/router.go b/internal/api/router.go
index 519f3bf31..9430cc7ed 100644
--- a/internal/api/router.go
+++ b/internal/api/router.go
@@ -180,7 +180,6 @@ func newGinRouter(ctx context.Context, client discovery.SvcDiscoveryRegistry, co
 		userRouterGroup.POST("/remove_global_blacklist", bl.RemoveGlobalBlacklist)
 		userRouterGroup.POST("/get_global_blacklist", bl.GetGlobalBlacklist)
 
-		// 真实删除账号（仅管理员）
 		userRouterGroup.POST("/delete_user", du.DeleteUser)
 	}
 	// friend routing group