diff --git a/README.md b/README.md
index b46bd6d..014829c 100644
--- a/README.md
+++ b/README.md
@@ -115,7 +115,9 @@ When a user attaches to an L1 server:
 3. L1 sets its own local cookie, logging the user in
 4. Their attachment is recorded in the `user_renderers` table
 
-**No shared secrets required**: L1 servers verify tokens by calling L2's public `/auth/verify` endpoint. This allows any L1 provider to federate with L2 without needing the JWT secret.
+**No shared secrets required**: L1 servers verify tokens by calling L2's `/auth/verify` endpoint. This allows any L1 provider to federate with L2 without needing the JWT secret.
+
+**Authorization**: L1 servers must identify themselves when calling `/auth/verify` by passing their URL. Only servers listed in `L1_SERVERS` are authorized to verify tokens.
 
 Users can manage attachments at `/renderers`.