diff --git a/docs/API.md b/docs/API.md
index 018ff7378..fdb509089 100644
--- a/docs/API.md
+++ b/docs/API.md
@@ -232,7 +232,17 @@ POST /api/config/import  # Import encrypted config
 - Private network access (automatic for homelab users on 192.168.x.x, 10.x.x.x, 172.16.x.x)
 - ALLOW_UNPROTECTED_EXPORT=true (to explicitly allow on public networks)
 
-**Export includes**: All nodes, credentials (encrypted), alerts, webhooks, email config, system settings, and guest metadata (custom console URLs)
+**Export includes**: 
+- All nodes and their credentials (encrypted)
+- Alert configurations
+- Webhook configurations  
+- Email settings
+- System settings (polling intervals, UI preferences)
+- Guest metadata (custom console URLs)
+
+**NOT included** (for security):
+- Authentication settings (passwords, API tokens)
+- Each instance should have its own authentication
 
 ## Notifications
 
diff --git a/docs/MIGRATION.md b/docs/MIGRATION.md
index bea0cb1fb..5fe5223b0 100644
--- a/docs/MIGRATION.md
+++ b/docs/MIGRATION.md
@@ -39,7 +39,8 @@ Never copy `/etc/pulse` or `/var/lib/pulse` directories between systems:
 ❌ **Not Included:**
 - Historical metrics data
 - Alert history
-- API tokens (regenerate on new system)
+- Authentication settings (passwords, API tokens)
+- Each instance should configure its own authentication
 
 ## Common Scenarios
 
diff --git a/frontend-modern/src/components/Settings/Settings.tsx b/frontend-modern/src/components/Settings/Settings.tsx
index fedf13a6c..7792306b5 100644
--- a/frontend-modern/src/components/Settings/Settings.tsx
+++ b/frontend-modern/src/components/Settings/Settings.tsx
@@ -2125,7 +2125,9 @@ const Settings: Component = () => {
                     <path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
                   </svg>
                   <div class="text-xs text-amber-700 dark:text-amber-300">
-                    <strong>Important:</strong> The backup file contains encrypted credentials. Store it securely and remember your {useCustomPassphrase() ? 'passphrase' : 'password'}.
+                    <strong>Important:</strong> The backup contains node credentials but NOT authentication settings. 
+                    Each Pulse instance should configure its own login credentials for security.
+                    Remember your {useCustomPassphrase() || !securityStatus()?.hasAuthentication ? 'passphrase' : 'password'} for restoring.
                   </div>
                 </div>
               </div>