- // prefix). The anonymous token is OK to forward, because it gets
- // mapped to the local anonymous token automatically on the login
- // cluster.
+ // prefix). The anonymous token is OK to forward, because (unlike other
+ // local tokens for real users) the validation callback will return the
+ // locally issued anonymous user ID instead of a login-cluster user ID.
+ // That anonymous user ID gets mapped to the local anonymous user
+ // automatically on the login cluster.