diff --git a/changelogs/application_service/newsfragments/2037.clarification b/changelogs/application_service/newsfragments/2037.clarification
new file mode 100644
index 00000000..f425b1c1
--- /dev/null
+++ b/changelogs/application_service/newsfragments/2037.clarification
@@ -0,0 +1 @@
+Add missing definition for how appservices verify requests came from a homeserver.
diff --git a/specification/application_service_api.rst b/specification/application_service_api.rst
index 865544dd..3220df2d 100644
--- a/specification/application_service_api.rst
+++ b/specification/application_service_api.rst
@@ -187,6 +187,15 @@ An example registration file for an IRC-bridging application service is below:
 Homeserver -> Application Service API
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+Authorization
++++++++++++++
+
+Homeservers MUST include a query parameter named ``access_token`` containing the
+``hs_token`` from the application service's registration when making requests to
+the application service. Application services MUST verify the provided ``access_token``
+matches their known ``hs_token``, failing the request with a ``M_FORBIDDEN`` error
+if it does not match.
+
 Legacy routes
 +++++++++++++