diff --git a/Design:-multiuser.md b/Design:-multiuser.md
index cbab487..0beb1b6 100644
--- a/Design:-multiuser.md
+++ b/Design:-multiuser.md
@@ -17,3 +17,14 @@ Need to investigate choices for authentication mechanism between a client and th
 
 Is OAuth 2.0 - Resource Owner Password Credentials Grant (RFC 6749, Section 4.3) - a good starting point?
 
+---
+
+Currently developing this in my knolleary/node-red fork under the auth branch.
+
+When enabled, all api requests must provide a valid access token in the Authorization header. The header is obtained by posting to '/auth/token', providing username, password, client_id, client_secret and scope.
+
+ - should we use refresh tokens as well as access tokens?
+ - how to tie it into 'httpAdminAuth'?
+ - how to plug in multiple users?
+ - how to do 3rd party oauth auth?
+ - websocket connection auth