diff --git a/README.md b/README.md
index 17b290c..b46bd6d 100644
--- a/README.md
+++ b/README.md
@@ -111,8 +111,11 @@ export L1_SERVERS=https://celery-artdag.rose-ash.com,https://renderer2.example.c
 
 When a user attaches to an L1 server:
 1. They're redirected to the L1's `/auth` endpoint with their auth token
-2. The L1 sets a local cookie, logging them in
-3. Their attachment is recorded in the `user_renderers` table
+2. L1 calls back to L2's `/auth/verify` endpoint to validate the token
+3. L1 sets its own local cookie, logging the user in
+4. Their attachment is recorded in the `user_renderers` table
+
+**No shared secrets required**: L1 servers verify tokens by calling L2's public `/auth/verify` endpoint. This allows any L1 provider to federate with L2 without needing the JWT secret.
 
 Users can manage attachments at `/renderers`.