diff --git a/docs/source/interface.rst b/docs/source/interface.rst
index 678d5c45973b040cf45e34f94f415674887b9574..5231e7265a355117ccd1bc0af68084ba1ef6b66e 100644
--- a/docs/source/interface.rst
+++ b/docs/source/interface.rst
@@ -7,6 +7,18 @@ Client
 When enabled in a Tahoe-LAFS client node,
 ZKAPAuthorizer publishes an HTTP-based interface inside the main Tahoe-LAFS web interface.
 
+All endpoints in the interface require an authorization token.
+Without the token,
+requests will receive an HTTP UNAUTHORIZED (401) response.
+
+To be authorized to access the resources at the endpoints,
+requests must include the correct secret token in the value for **Authorization** in the request header.
+For example, if the secret token is ``ABCDEF``::
+
+  Authorization: tahoe-lafs ABCDEF
+
+The correct value for the token can be read from the Tahoe-LAFS node's ``private/api_auth_token`` file.
+
 ``GET /storage-plugins/privatestorageio-zkapauthz-v1/version``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~