diff --git a/docs/logto-oss/deployment-and-configuration.mdx b/docs/logto-oss/deployment-and-configuration.mdx
index e1f02fc641f..bbb4d2880fb 100644
--- a/docs/logto-oss/deployment-and-configuration.mdx
+++ b/docs/logto-oss/deployment-and-configuration.mdx
@@ -108,6 +108,12 @@ npm run cli db seed -- --swe
 
 Refer to the [Logto CLI](/logto-oss/using-cli) for more details.
 
+:::tip Air-gapped or offline installs
+
+If your deployment environment cannot reach `api.pwnedpasswords.com`, append `--disable-admin-pwned-password-check` to either `logto init` or `npm run cli db seed` so the first admin sign-up does not hang on the Have I Been Pwned breach check. See [Seed for air-gapped or offline deployments](/logto-oss/using-cli#seed-for-air-gapped-or-offline-deployments) for details.
+
+:::
+
 ### Shared connectors folder \{#shared-connectors-folder}
 
 By default, Logto will create a `connectors` folder in the root directory of the `core` folder. We recommend sharing the folder between multiple instances of Logto, you need to mount the `packages/core/connectors` folder to the container and run `npm run cli connector add -- --official` to deploy the connectors.
diff --git a/docs/logto-oss/using-cli/README.mdx b/docs/logto-oss/using-cli/README.mdx
index 1e5d1ab093a..523abf3684a 100644
--- a/docs/logto-oss/using-cli/README.mdx
+++ b/docs/logto-oss/using-cli/README.mdx
@@ -79,3 +79,66 @@ This will be helpful for one-off invocations, e.g.:
 ```bash
 npx @logto/cli db seed --db-url postgresql://your-database-url
 ```
+
+### Seed for air-gapped or offline deployments \{#seed-for-air-gapped-or-offline-deployments}
+
+Since Logto v1.40.0, both the `init` (install) and `db seed` commands accept an extra flag for environments that cannot reach the public internet during installation:
+
+```bash
+--disable-admin-pwned-password-check, --dapc
+```
+
+When set, the seeded password policy on the **admin tenant** disables the [Have I Been Pwned (HIBP)](https://haveibeenpwned.com/) breach check by default. This means creating the initial admin from the Welcome page no longer hangs when `api.pwnedpasswords.com` is unreachable (for example in air-gapped data centers or behind strict egress firewalls).
+
+The flag is scoped to the admin tenant only — the default tenant's password policy is left untouched, and stays under your control through Admin Console > **Sign-in experience** > **Password policy** after the first admin signs in. From the Admin Console you can also re-enable the HIBP check on the admin tenant at any time.
+
+**One-step install** (recommended for fresh OSS deployments):
+
+<Tabs groupId="cmd">
+
+  <TabItem value="cli" label="CLI">
+
+```bash
+logto init --disable-admin-pwned-password-check
+```
+
+  </TabItem>
+  <TabItem value="npm" label="npm">
+
+```bash
+npm init @logto@latest -- --disable-admin-pwned-password-check
+```
+
+  </TabItem>
+
+</Tabs>
+
+**Seed an existing database** (when Logto is already extracted, or when re-seeding):
+
+<Tabs groupId="cmd">
+
+  <TabItem value="cli" label="CLI">
+
+```bash
+logto db seed --disable-admin-pwned-password-check
+```
+
+  </TabItem>
+  <TabItem value="npm" label="npm">
+
+```bash
+npm run cli db seed -- --disable-admin-pwned-password-check
+```
+
+  </TabItem>
+  <TabItem value="npx" label="npx">
+
+```bash
+npx @logto/cli db seed --disable-admin-pwned-password-check
+```
+
+  </TabItem>
+
+</Tabs>
+
+The short alias `--dapc` is accepted as an equivalent for terser scripts.
diff --git a/docs/logto-oss/using-cli/install-logto.mdx b/docs/logto-oss/using-cli/install-logto.mdx
index a0d2cd6d19f..eb1a59f452b 100644
--- a/docs/logto-oss/using-cli/install-logto.mdx
+++ b/docs/logto-oss/using-cli/install-logto.mdx
@@ -37,10 +37,11 @@ Alternatively, you can add the options below to skip some questions:
 
 ```bash
 # All these options are optional
---db-url      The Postgres URL to Logto database
--p, --path    Path to your Logto instance, must be a non-existing path
---ss          Skip Logto database seeding
---oc          Add official connectors after installation
+--db-url                                    The Postgres URL to Logto database
+-p, --path                                  Path to your Logto instance, must be a non-existing path
+--ss                                        Skip Logto database seeding
+--oc                                        Add official connectors after installation
+--disable-admin-pwned-password-check, --dapc  Seed the admin tenant with the Have I Been Pwned (HIBP) password breach check disabled (for air-gapped or offline deployments). See [Seed for air-gapped or offline deployments](/logto-oss/using-cli#seed-for-air-gapped-or-offline-deployments).
 ```
 
 Run `logto init --help` for full help info.