diff --git a/Deployment-and-Operations.md b/Deployment-and-Operations.md
index 6882bf7..e1db046 100644
--- a/Deployment-and-Operations.md
+++ b/Deployment-and-Operations.md
@@ -63,7 +63,11 @@ defaults (GST/EPFO stay stub-capable; PdfService skips token checks).
 renders the app's `/api/po/<id>/export?…&svc=<token>` page (the token lets it
 fetch without a user session), uploads the PDF to R2, and the app returns a
 `mailto:` with a **7-day** presigned link. `APP_INTERNAL_URL` is the URL
-PdfService uses to reach the app (defaults to `NEXTAUTH_URL`).
+PdfService uses to reach the app (defaults to `NEXTAUTH_URL`). The auth
+middleware lets the `svc`-token export request through (`lib/pdf-export-auth.ts`
+— without it the unauthenticated render is bounced to `/login`), and the rendered
+PDF is **cached per PO** at a deterministic key: repeat sends reuse the stored
+copy and only mint a fresh 7-day link, re-rendering only when the PO changed.
 
 ## Release & deploy flow