diff --git a/app/models/auth_user.rb b/app/models/auth_user.rb
index d241773a..30149a32 100644
--- a/app/models/auth_user.rb
+++ b/app/models/auth_user.rb
@@ -45,6 +45,8 @@ class AuthUser < AuthRecord
 
     transaction do
       find_or_create_by!(provider: auth.provider, uid: auth.uid) do |user|
+        # This account is new! Let's do the initial setup.
+
         # TODO: Can we somehow get the Neopets username if one exists, instead
         # of just using total randomness?
         user.name = build_unique_username
@@ -55,6 +57,15 @@ class AuthUser < AuthRecord
         # password recovery!)
         email_exists = AuthUser.where(email: auth.info.email).exists?
         user.email = auth.info.email unless email_exists
+      end.tap do |user|
+        # Additionally, whether this account is new or existing, make sure
+        # we've saved the latest email to `neopass_email`.
+        #
+        # We track this separately from `email`, which the user can edit, to
+        # use in the Settings UI to indicate what NeoPass you're linked to. (In
+        # practice, this *shouldn't* ever change after initial setup, because
+        # NeoPass emails are immutable? But why not be resilient!)
+        user.update!(neopass_email: auth.info.email)
       end
     end
   end
diff --git a/db/openneo_id_migrate/20240407135246_add_neo_pass_email_to_users.rb b/db/openneo_id_migrate/20240407135246_add_neo_pass_email_to_users.rb
new file mode 100644
index 00000000..e3ea22e8
--- /dev/null
+++ b/db/openneo_id_migrate/20240407135246_add_neo_pass_email_to_users.rb
@@ -0,0 +1,5 @@
+class AddNeoPassEmailToUsers < ActiveRecord::Migration[7.1]
+  def change
+    add_column :users, :neopass_email, :string
+  end
+end
diff --git a/db/openneo_id_schema.rb b/db/openneo_id_schema.rb
index a125f4ec..8ea0f0e8 100644
--- a/db/openneo_id_schema.rb
+++ b/db/openneo_id_schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.1].define(version: 2024_04_01_124406) do
+ActiveRecord::Schema[7.1].define(version: 2024_04_07_135246) do
   create_table "users", id: { type: :integer, unsigned: true }, charset: "utf8mb3", collation: "utf8mb3_general_ci", force: :cascade do |t|
     t.string "name", limit: 30, null: false
     t.string "encrypted_password", limit: 64
@@ -31,6 +31,7 @@ ActiveRecord::Schema[7.1].define(version: 2024_04_01_124406) do
     t.datetime "remember_created_at"
     t.string "provider"
     t.string "uid"
+    t.string "neopass_email"
     t.index ["email"], name: "index_users_on_email", unique: true
     t.index ["reset_password_token"], name: "index_users_on_reset_password_token", unique: true
     t.index ["unlock_token"], name: "index_users_on_unlock_token", unique: true