diff --git a/drafts/as-http-api.rst b/drafts/as-http-api.rst
index 2fb9aed2..727a5ff9 100644
--- a/drafts/as-http-api.rst
+++ b/drafts/as-http-api.rst
@@ -156,6 +156,8 @@ Linking ``[Draft]``
    user they claim to be? If we force an IS lookup, then this would resolve on its
    own as anyone who wants to talk to the virtual user will do a lookup before trying
    the application service...
+ - In other words, what is preventing ``@bob:matrix.org`` masquerading as 
+   ``@.irc.freenode.alice:matrix.org``?
 
 Clients may want to link their matrix user ID to their virtual user ID. This
 API allows the AS to do this, so messages sent from the AS are sent as the client's
@@ -186,6 +188,21 @@ Notes:
    pushed.
  - The generated access token MUST honour the restrictions laid out by the 
    client.
+   
+::
+
+ PUT /appservices/$virtual_user_id?access_token=$token
+ 
+ Request format
+ {
+   restrictions: {
+     expires_in: 3600,
+     rooms: [
+      "!fl3rwfehw:matrix.org",
+      "!fwet2yugs:matrix.org"
+     ]
+   }
+ }
 
 To revoke permission for an application service to masquerade as a user:
 
@@ -198,6 +215,11 @@ Output:
 Side effects:
  - The home server invalidate all access tokens for this user ID / AS combo
    and push this invalidation to the application service if this response 200s.
+   
+::
+
+ DELETE /appservices/$virtual_user_id?access_token=$token
+
 
 Client-Server v2 API Extensions
 -------------------------------