diff --git a/README.md b/README.md
index 4d58a8c..c3870ce 100644
--- a/README.md
+++ b/README.md
@@ -27,8 +27,10 @@ see `schema.py` and [Strawberry GraphQL documentation](https://strawberry.rocks/
 
 ### Attribute based permissions
 
-Assuming a zero trust deployment, the requesting user must have the correct claims to execute an operation - 
-to disable this during development (or if you operate the service in a trusted enviroment), remove the `permission_classes` parameter in all operations defined in `schema.py`. 
+Assuming a zero trust deployment, the requesting user must 
+have the correct claims to execute an operation - 
+to disable this during development (or if you operate the service in a trusted enviroment),
+remove the `permission_classes` parameter in all operations defined in `schema.py`. 
 
 These permissions must be a list stored in the access token under the key `config.AUTH_PERMISSIONS_KEY`, 
 its values prefixed with `config.AUTH_OLS_PREFIX`. For example:
@@ -39,6 +41,10 @@ claims = {
 }
 ```
 
+Strictly speaking this duplicates the permissions check already done by the broker, 
+and thus requests without required permissions don't even reach the microservice - 
+they've been rejected at the broker level.
+
 ### JWT signature algorithm
 
 For security reasons the JWT signature algorithm must be a member of