diff --git a/.env.example b/.env.example
index fd7f705..35d4313 100644
--- a/.env.example
+++ b/.env.example
@@ -1,7 +1,6 @@
 PORT=3000
 HOST=0.0.0.0
 JWT_SECRET=change-me-to-a-long-random-secret
-JWT_EXPIRY=7d
 DB_PATH=./data/nanodrop.db
 UPLOAD_DIR=./data/uploads
 LOG_FILE=./data/nanodrop.log
diff --git a/README.md b/README.md
index f1b9c0c..85bb986 100644
--- a/README.md
+++ b/README.md
@@ -60,7 +60,6 @@ docker compose run --rm register-user --username alice --password secret
 | Variable | Default | Description |
 |---|---|---|
 | `JWT_SECRET` | *(required)* | Secret key for signing JWTs |
-| `JWT_EXPIRY` | `7d` | JWT token lifetime |
 | `PORT` | `3000` | Port to listen on |
 | `HOST` | `0.0.0.0` | Host to bind |
 | `BASE_URL` | `http://localhost:3000` | Public base URL (used in share links) |
@@ -71,6 +70,8 @@ docker compose run --rm register-user --username alice --password secret
 | `COOKIE_SECURE` | `false` | Set `true` when serving over HTTPS |
 | `TRUST_PROXY` | `false` | Set `true` when behind a reverse proxy |
 
+Session lifetime is family-pinned to 30 days with sliding renewal (see `src/constants.ts`). Not configurable per deployment.
+
 ### Reverse proxy
 
 Set `TRUST_PROXY=true` when running behind a reverse proxy so Nanodrop sees the real client IP in logs.
diff --git a/docker-compose.yml b/docker-compose.yml
index c3aa65f..d54be92 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -2,7 +2,6 @@ x-env: &env
   PORT: "${PORT:-3000}"
   HOST: "${HOST:-0.0.0.0}"
   JWT_SECRET: "${JWT_SECRET}"
-  JWT_EXPIRY: "${JWT_EXPIRY:-7d}"
   DB_PATH: "${DB_PATH:-./data/nanodrop.db}"
   UPLOAD_DIR: "${UPLOAD_DIR:-./data/uploads}"
   LOG_FILE: "${LOG_FILE:-./data/nanodrop.log}"