diff --git a/web/routes/evotor_webhooks.py b/web/routes/evotor_webhooks.py
index b25d10a..9154af9 100644
--- a/web/routes/evotor_webhooks.py
+++ b/web/routes/evotor_webhooks.py
@@ -198,23 +198,30 @@ async def user_verify(request: Request, db: Session = Depends(get_db)):
 
     evotor_user_id: str = body.get("userId", "")
     username: str = body.get("username", "").strip()
+    phone: str = body.get("phone", "").strip()
     password: str = body.get("password", "")
 
-    if not username or not password:
-        return JSONResponse({"error": "username and password required"}, status_code=400)
+    login = username or phone
+    if not login or not password:
+        return JSONResponse({"error": "username/phone and password required"}, status_code=400)
 
-    # username is email or phone
+    # match by email, username, or phone
     user = db.query(User).filter(
-        or_(User.email == username, User.phone == username)
+        or_(User.email == login, User.phone == login)
     ).first()
 
-    if not user or not user.password_hash:
+    if not user:
         return JSONResponse({"error": "Неверные данные"}, status_code=401)
 
     if user.status == UserStatusEnum.suspended:
         return JSONResponse({"error": "Аккаунт заблокирован"}, status_code=403)
 
-    if not verify_password(password, user.password_hash):
+    if not user.password_hash:
+        # First auth with password — save it and activate the account
+        user.password_hash = hash_password(password)
+        if user.status == UserStatusEnum.pending:
+            user.status = UserStatusEnum.active
+    elif not verify_password(password, user.password_hash):
         return JSONResponse({"error": "Неверные данные"}, status_code=401)
 
     # Get or create connection to retrieve api_token