diff --git a/src/_zkapauthorizer/_storage_server.py b/src/_zkapauthorizer/_storage_server.py
index fa9aedb748d624558834b727e7db6a9a4a03629d..8bae23d92c31d59ee4405d3ccfca4c0c09f30d51 100644
--- a/src/_zkapauthorizer/_storage_server.py
+++ b/src/_zkapauthorizer/_storage_server.py
@@ -49,7 +49,7 @@ from privacypass import (
     SigningKey,
 )
 from .foolscap import (
-    RITokenAuthorizedStorageServer,
+    RIPrivacyPassAuthorizedStorageServer,
 )
 from .storage_common import (
     BYTES_PER_PASS,
@@ -85,7 +85,7 @@ class MorePassesRequired(Exception):
         return repr(self)
 
 
-@implementer_only(RITokenAuthorizedStorageServer, IReferenceable, IRemotelyCallable)
+@implementer_only(RIPrivacyPassAuthorizedStorageServer, IReferenceable, IRemotelyCallable)
 # It would be great to use `frozen=True` (value-based hashing) instead of
 # `cmp=False` (identity based hashing) but Referenceable wants to set some
 # attributes on self and it's hard to avoid that.
diff --git a/src/_zkapauthorizer/foolscap.py b/src/_zkapauthorizer/foolscap.py
index 213eca4476aed796fa4ba166014a7e4fcd6a75ac..cd605c07732fe6f55f6cb0905586ee749e66026e 100644
--- a/src/_zkapauthorizer/foolscap.py
+++ b/src/_zkapauthorizer/foolscap.py
@@ -18,34 +18,32 @@ from allmydata.interfaces import (
 )
 
 # The Foolscap convention seems to be to try to constrain inputs to valid
-# values.  So we'll try to limit the number of tokens a client can supply.
+# values.  So we'll try to limit the number of passes a client can supply.
 # Foolscap may be moving away from this so we may eventually drop this as
 # well.  Though it may still make sense on a non-Foolscap protocol (eg HTTP)
 # which Tahoe-LAFS may eventually support.
 #
 # In any case, for now, pick some fairly arbitrary value.  I am deliberately
 # picking a small number here and expect to have to raise.  However, ideally,
-# a client could accomplish a lot with a few tokens while also not wasting a
+# a client could accomplish a lot with a few passes while also not wasting a
 # lot of value.
-MAXIMUM_TOKENS_PER_CALL = 10
+MAXIMUM_PASSES_PER_CALL = 10
 
-# This is the length of a serialized Ristretto-flavored PrivacyPass pass
-# (there's a lot of confusion between "tokens" and "passes" here, sadly).
-#
-# The pass is a combination of base64-encoded token preimages and unblinded
-# token signatures.
-TOKEN_LENGTH = 177
+# This is the length of a serialized Ristretto-flavored PrivacyPass pass The
+# pass is a combination of token preimages and unblinded token signatures,
+# each base64-encoded.
+PASS_LENGTH = 177
 
 # Take those values and turn them into the appropriate Foolscap constraint
 # objects.  Foolscap seems to have a convention of representing these as
 # CamelCase module-level values so I replicate that here.
-Token = ByteStringConstraint(maxLength=TOKEN_LENGTH, minLength=TOKEN_LENGTH)
-TokenList = ListOf(Token, maxLength=MAXIMUM_TOKENS_PER_CALL)
+Pass = ByteStringConstraint(maxLength=PASS_LENGTH, minLength=PASS_LENGTH)
+PassList = ListOf(Pass, maxLength=MAXIMUM_PASSES_PER_CALL)
 
 
-def add_tokens(schema):
+def add_passes(schema):
     """
-    Add a ``tokens`` parameter to the given method schema.
+    Add a ``passes`` parameter to the given method schema.
 
     :param foolscap.remoteinterface.RemoteMethodSchema schema: An existing
         method schema to modify.
@@ -53,7 +51,7 @@ def add_tokens(schema):
     :return foolscap.remoteinterface.RemoteMethodSchema: A schema like
         ``schema`` but with one additional required argument.
     """
-    return add_arguments(schema, [(b"tokens", TokenList)])
+    return add_arguments(schema, [(b"passes", PassList)])
 
 
 def add_arguments(schema, kwargs):
@@ -88,33 +86,33 @@ def add_arguments(schema, kwargs):
 
 
 
-class RITokenAuthorizedStorageServer(RemoteInterface):
+class RIPrivacyPassAuthorizedStorageServer(RemoteInterface):
     """
-    An object which can store and retrieve shares, subject to token-based
+    An object which can store and retrieve shares, subject to pass-based
     authorization.
 
     This is much the same as ``allmydata.interfaces.RIStorageServer`` but
-    several of its methods take an additional ``tokens`` parameter.  Clients
-    are expected to supply suitable tokens and only after the tokens have been
+    several of its methods take an additional ``passes`` parameter.  Clients
+    are expected to supply suitable passes and only after the passes have been
     validated is service provided.
     """
     __remote_name__ = (
-        "RITokenAuthorizedStorageServer.tahoe.privatestorage.io"
+        "RIPrivacyPassAuthorizedStorageServer.tahoe.privatestorage.io"
     )
 
     get_version = RIStorageServer["get_version"]
 
-    allocate_buckets = add_tokens(RIStorageServer["allocate_buckets"])
+    allocate_buckets = add_passes(RIStorageServer["allocate_buckets"])
 
-    add_lease = add_tokens(RIStorageServer["add_lease"])
+    add_lease = add_passes(RIStorageServer["add_lease"])
 
-    renew_lease = add_tokens(RIStorageServer["renew_lease"])
+    renew_lease = add_passes(RIStorageServer["renew_lease"])
 
     get_buckets = RIStorageServer["get_buckets"]
 
     slot_readv = RIStorageServer["slot_readv"]
 
-    slot_testv_and_readv_and_writev = add_tokens(
+    slot_testv_and_readv_and_writev = add_passes(
         RIStorageServer["slot_testv_and_readv_and_writev"],
     )
 
diff --git a/src/_zkapauthorizer/tests/matchers.py b/src/_zkapauthorizer/tests/matchers.py
index c54c99067b80438f119edbc9521b9d1e84d87499..bcb4edbd37f4e8a5642405cf070e20f1d805b213 100644
--- a/src/_zkapauthorizer/tests/matchers.py
+++ b/src/_zkapauthorizer/tests/matchers.py
@@ -47,7 +47,7 @@ def matches_version_dictionary():
     """
     Match the dictionary returned by Tahoe-LAFS'
     ``RIStorageServer.get_version`` which is also the dictionary returned by
-    our own ``RITokenAuthorizedStorageServer.get_version``.
+    our own ``RIPrivacyPassAuthorizedStorageServer.get_version``.
     """
     return ContainsDict({
         # It has these two top-level keys, at least.  Try not to be too