X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/505c8fa50631201e289cc55230d46fdf52fa2055..ffc3c0e5e8fc513d0489f4493652ae7a7de42ece:/doc/admin/scoped-tokens.html.textile.liquid

diff --git a/doc/admin/scoped-tokens.html.textile.liquid b/doc/admin/scoped-tokens.html.textile.liquid
index 18578a78d6..de09b42615 100644
--- a/doc/admin/scoped-tokens.html.textile.liquid
+++ b/doc/admin/scoped-tokens.html.textile.liquid
@@ -36,6 +36,8 @@ Object update calls use the @PATCH@ method.  A scope of @["PATCH", "/arvados/v1/
 
 Similarly, you can use a scope of @["PATCH", "/arvados/v1/collections/zzzzz-4zz18-0123456789abcde"]@ to restrict updates to a single collection.
 
+There is one special exception to the scope rules: a valid token is always allowed to issue a request to "@GET /arvados/v1/api_client_authorizations/current@":{{ site.baseurl }}/api/methods/api_client_authorizations.html#current regardless of its scopes. This allows clients to reliably determine whether a request failed because a token is invalid, or because the token is not permitted to perform a particular request. The API server itself needs to be able to do this to validate tokens issued by other clusters in a federation.
+
 h2. Creating a scoped token
 
 A scoped token can be created at the command line: