diff --git a/src/_zkapauthorizer/controller.py b/src/_zkapauthorizer/controller.py
index 5348713dbd54d193312df82f7216be7bd1d93594..285e721b2542180eeeb64432b6b9220e59a26975 100644
--- a/src/_zkapauthorizer/controller.py
+++ b/src/_zkapauthorizer/controller.py
@@ -222,6 +222,8 @@ class RistrettoRedeemer(object):
         ))
 
     def tokens_to_passes(self, message, unblinded_tokens):
+        # XXX Here's some more of the privacypass dance.  Something needs to
+        # know to call this, I guess?  Also it's untested as heck.
         clients_preimages = list(
             token.preimage()
             for token