diff --git a/SESSION_LOG.md b/SESSION_LOG.md
index 3817695..9f50c9b 100644
--- a/SESSION_LOG.md
+++ b/SESSION_LOG.md
@@ -1,4 +1,4 @@
-# Session Log – zlh-grind
+# Session Log — zlh-grind
 
 Append-only execution log for GPT-assisted development work.  
 Do not rewrite or reorder past entries.
@@ -102,4 +102,28 @@ Status: **Root cause resolved; implementation pending agent patch & installer up
 
 Status: **Dev container SSH working internally; bastion public access blocked at network layer.**
 
----
\ No newline at end of file
+---
+
+## 2025-12-28 — APIv2 Auth + Portal Alignment Session
+
+### Work Completed
+- APIv2 auth route verified functional (JWT-based)
+- bcrypt password verification confirmed
+- `/api/instances` endpoint verified working without auth
+- Portal/API boundary clarified: portal owns identity UX, API owns validation + DB
+- Confirmed no CSRF or cookie-based auth required (stateless JWT)
+
+### Key Findings
+- Portal still contains APIv1 / Pterodactyl assumptions
+- `zlh-grind` is documentation + constraint repo only (no code)
+- Instances endpoint behavior was correct; earlier failures were route misuse
+
+### Decisions
+- APIv2 auth will remain stateless (JWT only)
+- No CSRF protection will be implemented
+- Portal must fully remove APIv1 and Pterodactyl patterns
+
+### Next Actions
+- Enforce `requireAuth` selectively in APIv2
+- Update portal login to match APIv2 contract
+- Track portal migration progress in OPEN_THREADS