diff --git a/services/mam-api/src/db/migrations/023-auth-session-timestamps.sql b/services/mam-api/src/db/migrations/023-auth-session-timestamps.sql
index 9273c4b..e67c106 100644
--- a/services/mam-api/src/db/migrations/023-auth-session-timestamps.sql
+++ b/services/mam-api/src/db/migrations/023-auth-session-timestamps.sql
@@ -7,6 +7,9 @@
 -- future audit fields) keep working when AUTH_ENABLED=false. The seeded
 -- password_hash is a placeholder that no bcrypt.compare will accept, so the
 -- dev row cannot be used to log in even if AUTH_ENABLED is later flipped on.
+--
+-- password_updated_at is backfilled with NOW() for existing rows at migration time;
+-- treat values from before this deploy as approximate.
 
 ALTER TABLE users ADD COLUMN IF NOT EXISTS password_updated_at TIMESTAMPTZ DEFAULT NOW();
 ALTER TABLE users ADD COLUMN IF NOT EXISTS last_login_at       TIMESTAMPTZ;
@@ -19,4 +22,4 @@ VALUES (
   'Dev (AUTH_ENABLED=false)',
   'admin'
 )
-ON CONFLICT (id) DO NOTHING;
+ON CONFLICT DO NOTHING;