diff --git a/CONSTRAINTS.md b/CONSTRAINTS.md
index fa1ce8e..5b32d97 100644
--- a/CONSTRAINTS.md
+++ b/CONSTRAINTS.md
@@ -40,4 +40,13 @@ They exist to prevent architectural drift, instability, and "demo-ware" UI patte
 ## Branding
 - Brand: **ZeroLagHub**
 - Shorthand: **ZLH**
-- Gaming heritage is acceptable, esports aesthetic is not.
\ No newline at end of file
+- Gaming heritage is acceptable, esports aesthetic is not.
+
+## Authentication Constraints (APIv2)
+
+- APIv2 authentication is stateless
+- JWT tokens are issued by APIv2 only
+- No CSRF protection is allowed
+- No cookies are allowed for auth
+- Portal stores tokens client-side (sessionStorage)
+- APIv1 and Pterodactyl auth patterns are forbidden