From 436a35e9f647fcaa5ef27b48ef26b683440fcb40 Mon Sep 17 00:00:00 2001
From: Daniel Wagner-Hall <daniel@matrix.org>
Date: Mon, 9 Nov 2015 16:04:31 +0000
Subject: [PATCH] Document macaroon type=login

---
 drafts/macaroons_caveats.rst | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/drafts/macaroons_caveats.rst b/drafts/macaroons_caveats.rst
index 93622c3d..a7c1b036 100644
--- a/drafts/macaroons_caveats.rst
+++ b/drafts/macaroons_caveats.rst
@@ -25,10 +25,13 @@ Specified caveats:
 | gen         | Generation of the macaroon caveat spec.          | 1                                                                                              |
 | user_id     | ID of the user for which this macaroon is valid. | Pure equality check. Operator must be =.                                                       |
 | type        | The purpose of this macaroon.                    | access - used to authorize any action except token refresh                                     |
-|                                                                   refresh - only used to authorize a token refresh                                              |
+|             |                                                  | refresh - only used to authorize a token refresh                                               |
+|             |                                                  | login - issued as a very short-lived token by third party login flows; proves that             |
+|             |                                                  | authentication has happened but doesn't grant any privileges other than being able to be       |
+|             |                                                  | exchanged for other tokens.                                                                    |
 | time        | Time before/after which this macaroon is valid.  | A POSIX timestamp in milliseconds (in UTC).                                                    |
-|                                                                  Operator < means the macaroon is valid before the timestamp, as interpreted by the server.     |
-|                                                                  Operator > means the macaroon is valid after the timestamp, as interpreted by the server.      |
-|                                                                  Operator == means the macaroon is valid at exactly the timestamp, as interpreted by the server.|
-|                                                                  Note that exact equality of time is largely meaningless.                                       |
+|             |                                                  | Operator < means the macaroon is valid before the timestamp, as interpreted by the server.     |
+|             |                                                  | Operator > means the macaroon is valid after the timestamp, as interpreted by the server.      |
+|             |                                                  | Operator == means the macaroon is valid at exactly the timestamp, as interpreted by the server.|
+|             |                                                  | Note that exact equality of time is largely meaningless.                                       |
 +-------------+--------------------------------------------------+------------------------------------------------------------------------------------------------+