diff --git a/pairing.py b/pairing.py
index ed5684d..8629de9 100644
--- a/pairing.py
+++ b/pairing.py
@@ -165,15 +165,10 @@ async def pair_spire(
     """Mint a bunker-held key + scoped connect token for `machine` and
     return the seed URL the spire redeems at first boot.
 
-    `duration_hours` (optional, aiolabs/lnbits#54 item 2) stamps `expiresAt`
-    on the spire's connect token. NOTE: this bounds ONLY the window in which
-    an *un-redeemed* token can first connect — nsecbunkerd reads `expiresAt`
-    solely in `validateToken` at redeem time. Once the spire has connected
-    and its per-KeyUser grants are materialized, an expired token keeps
-    signing (the sign-time ACL never checks `expiresAt`; same ACL-ordering
-    subtlety as the revoke finding, #22). The real post-bind cutoff is
-    `revoke_spire` (`revoke_key_user`), not TTL. Post-bind TTL enforcement is
-    tracked at aiolabs/nsecbunkerd#24. None = non-expiring connect window.
+    `duration_hours` (optional, aiolabs/lnbits#54 item 2) sets a TTL on the
+    spire's connect token — the bunker stamps `expiresAt` and rejects the
+    token once it lapses, forcing a re-pair. None = non-expiring (the only
+    invalidation path is then revoke, `revoke_spire`).
 
     `admin_client` must already be connected (the caller owns the
     `async with NsecBunkerAdminClient.from_settings()` context) — keeps
diff --git a/templates/spirekeeper/index.html b/templates/spirekeeper/index.html
index 45d47a7..7bdebd3 100644
--- a/templates/spirekeeper/index.html
+++ b/templates/spirekeeper/index.html
@@ -855,8 +855,7 @@
         </q-card-section>
 
         <!-- Step 1 — configure + generate -->
-        <template v-if="!pairDialog.result">
-        <q-card-section>
+        <q-card-section v-if="!pairDialog.result">
           <p class="text-caption q-mb-md" :style="{opacity: 0.7}">
             Mints a dedicated signing key for
             <b v-text="(pairDialog.machine && pairDialog.machine.name) || 'this spire'"></b>
@@ -881,18 +880,16 @@
             class="q-mb-md"
             dense outlined></q-input>
         </q-card-section>
-        <q-card-actions align="right" class="text-primary">
+        <q-card-actions v-if="!pairDialog.result" align="right" class="text-primary">
           <q-btn flat label="Cancel" v-close-popup></q-btn>
           <q-btn
             color="primary" label="Generate seed URL" icon="vpn_key"
             :loading="pairDialog.saving"
             @click="submitPair"></q-btn>
         </q-card-actions>
-        </template>
 
         <!-- Step 2 — show the seed URL -->
-        <template v-else>
-        <q-card-section>
+        <q-card-section v-else>
           <q-banner dense rounded class="bg-green-1 text-grey-9 q-mb-md">
             <template v-slot:avatar>
               <q-icon name="check_circle" color="green"></q-icon>
@@ -931,10 +928,9 @@
             </q-btn>
           </div>
         </q-card-section>
-        <q-card-actions align="right" class="text-primary">
+        <q-card-actions v-else align="right" class="text-primary">
           <q-btn flat label="Done" color="primary" v-close-popup></q-btn>
         </q-card-actions>
-        </template>
       </q-card>
     </q-dialog>