From 21b9eaf8de06d2562c6326dedda66e334f03d6b0 Mon Sep 17 00:00:00 2001
From: David Baker <dave@matrix.org>
Date: Wed, 26 Jun 2019 17:56:41 +0100
Subject: [PATCH] No custom HTTP headers

Use the obvious way: in the same place as the ID server address
---
 proposals/2140-terms-of-service-2.md | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/proposals/2140-terms-of-service-2.md b/proposals/2140-terms-of-service-2.md
index ed1269a91..00a6ba525 100644
--- a/proposals/2140-terms-of-service-2.md
+++ b/proposals/2140-terms-of-service-2.md
@@ -77,9 +77,13 @@ API, as specified in [MSC1961](https://github.com/matrix-org/matrix-doc/issues/1
 
 When clients supply an identity server to the Homeserver in order for the Homeserver
 to make calls to the IS on its behalf, it must also supply its access token for the
-Identity Server either as the `is_token` query parameter or a bearer token in the
-`X-Identity-Authorization` HTTP header with the same syntax as an `Authorizationn`
-header.
+Identity Server alongside in the `is_token` key of the same JSON object. That is,
+in the main request object for a `requestToken` request and in the `threepidCreds`
+object when supplying 3PID credentials (eg. in the `m.email.identity` UI auth stage).
+Exxceptions to this are any requests where the only IS operation the Homeserver may
+perform is unbinding, ie. `/_matrix/client/r0/account/deactivate` and
+`/_matrix/client/r0/account/3pid/delete`, in which case the unbind is authenticated
+by a signed request from the Homeserver.
 
 ### IS Register API