diff --git a/authserv/server.py b/authserv/server.py
index 29c8c2e78c2188f23efa4e120355865f38e85110..1e45bb9c018e3441e7c8785794998bcf6aec7f22 100644
--- a/authserv/server.py
+++ b/authserv/server.py
@@ -20,6 +20,16 @@ def _auth(username, service, shard, password, otp_token, source_ip):
     return auth.authenticate(user, service, password, otp_token)
 
 
+# Quick clarification on the rate limits: 'username' is the one that's
+# going to be used all the time, while the X-Forwarded-For header on
+# the request is only going to be present for those authentication
+# requests where we have knowledge of the original users' IP (remember
+# that 'source_ip' can sometimes be the server address or localhost).
+# For instance, authentication requests that come from PAM usually do
+# not have knowledge of the users' IP address, as the protocols for
+# which we use PAM handlers do not support forwarding of the IP
+# address. So we're practically only going to use X-Forwarded-For for
+# requests that reach our frontends via HTTP.
 @app.route('/api/1/auth', methods=('POST',))
 @ratelimit_http_request(key_from_request(header='HTTP_X_FORWARDED_FOR'),
                         count=10, period=60)