diff --git a/backend/migrations/0002_auth.sql b/backend/migrations/0002_auth.sql
new file mode 100644
index 0000000..4e89572
--- /dev/null
+++ b/backend/migrations/0002_auth.sql
@@ -0,0 +1,29 @@
+-- migrations/0002_auth.sql
+-- Phase 2: Authentication — users + sessions tables.
+
+-- +goose Up
+CREATE EXTENSION IF NOT EXISTS citext;
+CREATE EXTENSION IF NOT EXISTS pgcrypto;
+
+CREATE TABLE users (
+    id            uuid        PRIMARY KEY DEFAULT gen_random_uuid(),
+    email         citext      NOT NULL UNIQUE,
+    password_hash text        NOT NULL,
+    created_at    timestamptz NOT NULL DEFAULT now(),
+    updated_at    timestamptz NOT NULL DEFAULT now()
+);
+
+CREATE TABLE sessions (
+    id         text        PRIMARY KEY,
+    user_id    uuid        NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    created_at timestamptz NOT NULL DEFAULT now(),
+    expires_at timestamptz NOT NULL
+);
+
+CREATE INDEX sessions_user_id_idx   ON sessions(user_id);
+CREATE INDEX sessions_expires_at_idx ON sessions(expires_at);
+
+-- +goose Down
+DROP TABLE IF EXISTS sessions;
+DROP TABLE IF EXISTS users;
+-- citext + pgcrypto left in place — extensions are cheap and shared across migrations.