diff --git a/src/db/migrations/index.ts b/src/db/migrations/index.ts
index 72cf0c2..9813e49 100644
--- a/src/db/migrations/index.ts
+++ b/src/db/migrations/index.ts
@@ -288,5 +288,46 @@ export const migrations: Migration[] = [
         ON allowed_groups (status);
       `);
     }
+  },
+  {
+    version: 10,
+    name: 'web-auth-tables',
+    checksum: 'v10-web-auth-2025-10-12',
+    up: (db: Database) => {
+      db.exec(`PRAGMA foreign_keys = ON;`);
+
+      // Tokens de login web (válidos 10 min, de un solo uso)
+      db.exec(`
+        CREATE TABLE IF NOT EXISTS web_tokens (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          user_id TEXT NOT NULL,
+          token_hash TEXT NOT NULL UNIQUE,
+          created_at TEXT NOT NULL DEFAULT (strftime('%Y-%m-%d %H:%M:%f','now')),
+          expires_at TEXT NOT NULL,
+          used_at TEXT NULL,
+          metadata TEXT NULL,
+          FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+        );
+      `);
+      db.exec(`CREATE INDEX IF NOT EXISTS idx_web_tokens_user ON web_tokens (user_id);`);
+      db.exec(`CREATE INDEX IF NOT EXISTS idx_web_tokens_expires ON web_tokens (expires_at);`);
+
+      // Sesiones de la web (idle timeout gestionado por la app web)
+      db.exec(`
+        CREATE TABLE IF NOT EXISTS web_sessions (
+          id TEXT PRIMARY KEY,
+          user_id TEXT NOT NULL,
+          session_hash TEXT NOT NULL UNIQUE,
+          created_at TEXT NOT NULL DEFAULT (strftime('%Y-%m-%d %H:%M:%f','now')),
+          last_seen_at TEXT NOT NULL DEFAULT (strftime('%Y-%m-%d %H:%M:%f','now')),
+          expires_at TEXT NOT NULL,
+          user_agent TEXT NULL,
+          ip TEXT NULL,
+          FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+        );
+      `);
+      db.exec(`CREATE INDEX IF NOT EXISTS idx_web_sessions_user ON web_sessions (user_id);`);
+      db.exec(`CREATE INDEX IF NOT EXISTS idx_web_sessions_expires ON web_sessions (expires_at);`);
+    }
   }
 ];