From e95eafb2ba6b12d010b2b3c3e651424793ba2e72 Mon Sep 17 00:00:00 2001
From: Travis Ralston <travpc@gmail.com>
Date: Mon, 4 Nov 2019 15:17:51 -0700
Subject: [PATCH] Clarify that submit_url is without authentication

The request is authorized by its parameters, not by an additional access token.

Fixes https://github.com/matrix-org/matrix-doc/issues/2298
---
 api/client-server/administrative_contact.yaml             | 7 ++++---
 api/client-server/definitions/request_token_response.yaml | 6 +++---
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/api/client-server/administrative_contact.yaml b/api/client-server/administrative_contact.yaml
index 9a59cb6b4..fc231b602 100644
--- a/api/client-server/administrative_contact.yaml
+++ b/api/client-server/administrative_contact.yaml
@@ -157,9 +157,10 @@ paths:
                     An optional field containing a URL where the client must
                     submit the validation token to, with identical parameters
                     to the Identity Service API's ``POST
-                    /validate/email/submitToken`` endpoint. The homeserver must
-                    send this token to the user (if applicable), who should
-                    then be prompted to provide it to the client.
+                    /validate/email/submitToken`` endpoint (without the requirement
+                    for an access token). The homeserver must send this token to the
+                    user (if applicable), who should then be prompted to provide it
+                    to the client.
 
                     If this field is not present, the client can assume that
                     verification will happen without the client's involvement
diff --git a/api/client-server/definitions/request_token_response.yaml b/api/client-server/definitions/request_token_response.yaml
index e47db8a0b..45201a204 100644
--- a/api/client-server/definitions/request_token_response.yaml
+++ b/api/client-server/definitions/request_token_response.yaml
@@ -25,9 +25,9 @@ properties:
     description: |-
       An optional field containing a URL where the client must submit the
       validation token to, with identical parameters to the Identity Service
-      API's ``POST /validate/email/submitToken`` endpoint. The homeserver must
-      send this token to the user (if applicable), who should then be
-      prompted to provide it to the client.
+      API's ``POST /validate/email/submitToken`` endpoint (without the requirement
+      for an access token). The homeserver must send this token to the user (if
+      applicable), who should then be prompted to provide it to the client.
 
       If this field is not present, the client can assume that verification
       will happen without the client's involvement provided the homeserver