From 611001c38333e36df94759a58bddfea6bdab5ae7 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Sun, 30 Dec 2018 19:45:01 +0200
Subject: Add: note that effiweb keeps token

---
 architecture.mdwn | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/architecture.mdwn b/architecture.mdwn
index 57f4fc3..5d6f07c 100644
--- a/architecture.mdwn
+++ b/architecture.mdwn
@@ -51,7 +51,9 @@ End-users are authenticated using the [OpenID Connect][] protocol,
 specifically the authorization code flow. In this flow, Qvisqve
 provides cryptographically signed access tokens, which identify the
 user and specify a list of things the user may do. The signature
-guarantees the token comes from Qvisqve.
+guarantees the token comes from Qvisqve. To prevent the access token
+from leaking to the browser, effiweb keeps the token, and also manages
+user sessions.
 
 Non-interactive API clients are authenticated using the [OAuth2][]
 protocol, specifically using client credential grants. This also
-- 
cgit v1.2.1