diff --git a/backend/app.py b/backend/app.py
index 396117c..2ae82ff 100644
--- a/backend/app.py
+++ b/backend/app.py
@@ -746,6 +746,44 @@ def newserv_account_lock_acquire():
                 })
 
 
+@app.post("/api/newserv/account-locks/heartbeat")
+def newserv_account_lock_heartbeat():
+    auth_error = require_newserv_shared_secret()
+    if auth_error:
+        return auth_error
+
+    data = json_body()
+    source = clean_lock_text(data.get("source"), 64)
+    source_region = clean_lock_text(data.get("source_region"), 32)
+    source_ship = clean_lock_text(data.get("source_ship"), 32)
+
+    if not source:
+        return jsonify({"ok": False, "message": "missing source"}), 400
+
+    expires_at = account_lock_expires_at()
+
+    with connect() as conn:
+        with conn.cursor() as cur:
+            cur.execute("""
+                UPDATE account_session_locks
+                SET updated_at = now(),
+                    expires_at = %s
+                WHERE holder_source = %s
+                  AND state IN ('active', 'draining')
+            """, (expires_at, source))
+            refreshed = cur.rowcount
+
+    return jsonify({
+        "ok": True,
+        "source": source,
+        "source_region": source_region,
+        "source_ship": source_ship,
+        "refreshed": refreshed,
+        "expires_at": expires_at.isoformat(),
+    })
+
+
+
 @app.get("/api/newserv/account-locks/<int:account_id>")
 def newserv_account_lock_status(account_id):
     auth_error = require_newserv_shared_secret()