diff --git a/src/_secureaccesstokenauthorizer/_storage_client.py b/src/_secureaccesstokenauthorizer/_storage_client.py
index 309eaab8c53023afc01a0110bea42bbad734b9be..9ba11b25c0a29409c95d44743b4737524147f627 100644
--- a/src/_secureaccesstokenauthorizer/_storage_client.py
+++ b/src/_secureaccesstokenauthorizer/_storage_client.py
@@ -34,7 +34,23 @@ from allmydata.interfaces import (
 @attr.s
 class SecureAccessTokenAuthorizerStorageClient(object):
     """
-    XXX
+    An implementation of the client portion of an access-token-based
+    authorization scheme on top of the basic Tahoe-LAFS storage protocol.
+
+    This ``IStorageServer`` implementation aims to offer the same storage
+    functionality as Tahoe-LAFS' built-in storage server but with an added
+    layer of token-based authorization for some operations.  The Python
+    interface exposed to application code is the same but the network protocol
+    is augmented with tokens which are automatically inserted by this class.
+    The tokens are interpreted by the corresponding server-side implementation
+    of this scheme.
+
+    :ivar _get_rref: A no-argument callable which retrieves the most recently
+        valid ``RemoteReference`` corresponding to the server-side object for
+        this scheme.
+
+    :ivar _get_tokens: A no-argument callable which retrieves some tokens
+        which can be used to authorize an operation.
     """
     _get_rref = attr.ib()
     _get_tokens = attr.ib()