diff --git a/backend/linkpulse/migrations/006_add_session_constraints.py b/backend/linkpulse/migrations/006_add_session_constraints.py
new file mode 100644
index 0000000..1517f13
--- /dev/null
+++ b/backend/linkpulse/migrations/006_add_session_constraints.py
@@ -0,0 +1,63 @@
+"""Peewee migrations -- 006_add_session_constraints.py.
+
+Some examples (model - class or model name)::
+
+    > Model = migrator.orm['table_name']            # Return model in current state by name
+    > Model = migrator.ModelClass                   # Return model in current state by name
+
+    > migrator.sql(sql)                             # Run custom SQL
+    > migrator.run(func, *args, **kwargs)           # Run python function with the given args
+    > migrator.create_model(Model)                  # Create a model (could be used as decorator)
+    > migrator.remove_model(model, cascade=True)    # Remove a model
+    > migrator.add_fields(model, **fields)          # Add fields to a model
+    > migrator.change_fields(model, **fields)       # Change fields
+    > migrator.remove_fields(model, *field_names, cascade=True)
+    > migrator.rename_field(model, old_field_name, new_field_name)
+    > migrator.rename_table(model, new_table_name)
+    > migrator.add_index(model, *col_names, unique=False)
+    > migrator.add_not_null(model, *field_names)
+    > migrator.add_default(model, field_name, default)
+    > migrator.add_constraint(model, name, sql)
+    > migrator.drop_index(model, *col_names)
+    > migrator.drop_not_null(model, *field_names)
+    > migrator.drop_constraints(model, *constraints)
+
+"""
+
+from contextlib import suppress
+
+import peewee as pw
+from peewee_migrate import Migrator
+
+
+with suppress(ImportError):
+    import playhouse.postgres_ext as pw_pext
+
+
+def migrate(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your migrations here."""
+
+    migrator.add_constraint(
+        "session", "session_token_length", pw.Check("LENGTH(token) = 32")
+    )
+
+    migrator.add_constraint(
+        "session", "session_expiry_created_at", pw.Check("expiry > created_at")
+    )
+
+    migrator.add_constraint(
+        "session",
+        "session_last_used_created_at",
+        pw.Check("last_used IS NULL OR last_used <= created_at"),
+    )
+
+
+def rollback(migrator: Migrator, database: pw.Database, *, fake=False):
+    """Write your rollback migrations here."""
+
+    migrator.drop_constraints(
+        "session",
+        "session_token_length",
+        "session_expiry_created_at",
+        "session_last_used_created_at",
+    )
diff --git a/backend/linkpulse/models.py b/backend/linkpulse/models.py
index b461b8d..c9fc192 100644
--- a/backend/linkpulse/models.py
+++ b/backend/linkpulse/models.py
@@ -9,7 +9,15 @@ from typing import Optional
 
 import structlog
 from linkpulse.utilities import utc_now
-from peewee import AutoField, CharField, DateTimeField, ForeignKeyField, BitField, Model
+from peewee import (
+    AutoField,
+    BitField,
+    CharField,
+    Check,
+    DateTimeField,
+    ForeignKeyField,
+    Model,
+)
 from playhouse.db_url import connect
 
 logger = structlog.get_logger()
@@ -60,6 +68,13 @@ class Session(BaseModel):
     created_at = DateTimeField(default=utc_now)
     last_used = DateTimeField(null=True)
 
+    class Meta:
+        constraints = [
+            Check("LENGTH(token) = 32"),
+            Check("expiry > created_at"),
+            Check("last_used IS NULL OR last_used <= created_at"),
+        ]
+
     @property
     def expiry_utc(self) -> datetime.datetime:
         return self.expiry.replace(tzinfo=datetime.timezone.utc)  # type: ignore