diff --git a/proposals/2140-terms-of-service-2.md b/proposals/2140-terms-of-service-2.md
index ed1269a9..00a6ba52 100644
--- a/proposals/2140-terms-of-service-2.md
+++ b/proposals/2140-terms-of-service-2.md
@@ -77,9 +77,13 @@ API, as specified in [MSC1961](https://github.com/matrix-org/matrix-doc/issues/1
 
 When clients supply an identity server to the Homeserver in order for the Homeserver
 to make calls to the IS on its behalf, it must also supply its access token for the
-Identity Server either as the `is_token` query parameter or a bearer token in the
-`X-Identity-Authorization` HTTP header with the same syntax as an `Authorizationn`
-header.
+Identity Server alongside in the `is_token` key of the same JSON object. That is,
+in the main request object for a `requestToken` request and in the `threepidCreds`
+object when supplying 3PID credentials (eg. in the `m.email.identity` UI auth stage).
+Exxceptions to this are any requests where the only IS operation the Homeserver may
+perform is unbinding, ie. `/_matrix/client/r0/account/deactivate` and
+`/_matrix/client/r0/account/3pid/delete`, in which case the unbind is authenticated
+by a signed request from the Homeserver.
 
 ### IS Register API