diff --git a/services/mam-api/src/db/migrations/023-auth-session-timestamps.sql b/services/mam-api/src/db/migrations/023-auth-session-timestamps.sql
new file mode 100644
index 0000000..9273c4b
--- /dev/null
+++ b/services/mam-api/src/db/migrations/023-auth-session-timestamps.sql
@@ -0,0 +1,22 @@
+-- Migration 023 — auth-related user timestamps + idempotent dev user.
+--
+-- See docs/superpowers/specs/2026-05-27-auth-system-design.md
+--
+-- password_updated_at + last_login_at are operator visibility, no logic depends on them yet.
+-- The dev user is seeded with a fixed UUID so FK-bearing routes (api_tokens,
+-- future audit fields) keep working when AUTH_ENABLED=false. The seeded
+-- password_hash is a placeholder that no bcrypt.compare will accept, so the
+-- dev row cannot be used to log in even if AUTH_ENABLED is later flipped on.
+
+ALTER TABLE users ADD COLUMN IF NOT EXISTS password_updated_at TIMESTAMPTZ DEFAULT NOW();
+ALTER TABLE users ADD COLUMN IF NOT EXISTS last_login_at       TIMESTAMPTZ;
+
+INSERT INTO users (id, username, password_hash, display_name, role)
+VALUES (
+  '00000000-0000-4000-8000-000000000dev',
+  'dev',
+  '!disabled-no-login!',
+  'Dev (AUTH_ENABLED=false)',
+  'admin'
+)
+ON CONFLICT (id) DO NOTHING;