diff --git a/changelogs/client_server/newsfragments/2042.clarification b/changelogs/client_server/newsfragments/2042.clarification
new file mode 100644
index 000000000..4e17b99fa
--- /dev/null
+++ b/changelogs/client_server/newsfragments/2042.clarification
@@ -0,0 +1 @@
+Clarify that login flows are meant to be completed in order.
diff --git a/specification/client_server_api.rst b/specification/client_server_api.rst
index 6efe1f52c..6c2e364a8 100644
--- a/specification/client_server_api.rst
+++ b/specification/client_server_api.rst
@@ -406,8 +406,10 @@ an additional stage. This exchange continues until the final success.
 
 For each endpoint, a server offers one or more 'flows' that the client can use
 to authenticate itself. Each flow comprises a series of stages, as described
-above. The client is free to choose which flow it follows. When all stages in a
-flow are complete, authentication is complete and the API call succeeds.
+above. The client is free to choose which flow it follows, however the flow's
+stages must be completed in order. Failing to follow the flows in order must
+result in an HTTP 401 response, as defined below. When all stages in a flow
+are complete, authentication is complete and the API call succeeds.
 
 User-interactive API in the REST API
 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<