diff --git a/src/_zkapauthorizer/foolscap.py b/src/_zkapauthorizer/foolscap.py
index 224614dc7649ee80d3d2bec04eacee90ce749112..213eca4476aed796fa4ba166014a7e4fcd6a75ac 100644
--- a/src/_zkapauthorizer/foolscap.py
+++ b/src/_zkapauthorizer/foolscap.py
@@ -29,9 +29,12 @@ from allmydata.interfaces import (
 # lot of value.
 MAXIMUM_TOKENS_PER_CALL = 10
 
-# This is the length of a serialized PrivacyPass pass (there's a lot of
-# confusion between "tokens" and "passes" here, sadly).
-TOKEN_LENGTH = 97
+# This is the length of a serialized Ristretto-flavored PrivacyPass pass
+# (there's a lot of confusion between "tokens" and "passes" here, sadly).
+#
+# The pass is a combination of base64-encoded token preimages and unblinded
+# token signatures.
+TOKEN_LENGTH = 177
 
 # Take those values and turn them into the appropriate Foolscap constraint
 # objects.  Foolscap seems to have a convention of representing these as