diff --git a/public/swagger/swagger.yaml b/public/swagger/swagger.yaml
index fb55ea8..e4113ae 100644
--- a/public/swagger/swagger.yaml
+++ b/public/swagger/swagger.yaml
@@ -49,3 +49,87 @@ components:
               status:
                 type: string
                 example: "ok"
+
+  securitySchemes:
+    token:
+      type: apiKey
+      description: |
+        Disabled by default but required by all endpoints when enabled
+
+        Provided as AES-GCM 12-byte-padded ciphertext on all unauthorized requests via the header "Set-Cookie:New-DnDex-Auth=encode-token"
+
+        <details>
+        <summary>
+        [Code example of decrypting a token in Javascript](https://notes-server.remote.blapointe.com/notes/disciplines/tech/languages/Encryption.md#toc_1)
+        </summary>
+        ```javascript
+          class NewAuthToken {
+              constructor(key) {
+                  if (!key) {
+                      throw "invalid key"
+                  }
+                  this.key = key.repeat(32).substr(0, 32)
+              }
+
+              decode(b64, callback) {
+                  var ciphertext = this.base64_decode(b64)
+
+                  var iv = ciphertext.substr(0, 12)
+                  var encrypted = ciphertext.substr(iv.length, ciphertext.length-iv.length)
+
+                  this.get_crypto_key()
+                      .then(function(crypto_key) {
+                          NewAuthToken.decrypt(crypto_key, iv, encrypted, callback)
+                      })
+              }
+
+              base64_decode(b64) {
+                  return atob(b64)
+              }
+
+              static to_buffer(s) {
+                  var bytes = new Uint8Array(s.length)
+                  for (var i = 0; i < s.length; i++) {
+                     bytes[i] = s.charCodeAt(i)
+                  }
+                  return bytes.buffer
+              }
+
+              static decrypt(crypto_key, iv, encrypted, callback) {
+                  window.crypto.subtle.decrypt(
+                     {name: "AES-GCM", iv: NewAuthToken.to_buffer(iv)},
+                     crypto_key,
+                     NewAuthToken.to_buffer(encrypted),
+                  )
+                      .then(function(decrypted) {
+                          callback(String.fromCharCode.apply(null, new Uint8Array(decrypted)))
+                      })
+              }
+
+              get_crypto_key() {
+                  return crypto.subtle.importKey(
+                      "raw",
+                      NewAuthToken.to_buffer(this.key),
+                      "AES-GCM",
+                      false,
+                      ["decrypt"]
+                  )
+              }
+
+              set_token(encoded_token) {
+                  this.decode(encoded_token, function (token) {
+                      console.log("Set-Cookie DnDex-Auth="+token)
+                      document.cookie = "DnDex-Auth=" + token + ";path=/"
+                  })
+              }
+          }
+
+          authtoken = new NewAuthToken("123").set_token("SOY05yF/9iv3YG71sKkQPVaEwO53PCX8qZhDHS9JUohBgVl5Qr9/GTKK/TJ6OozhHN7QBIGmHNzQxTRRSLs4Lw==")
+        ```
+        </details>
+      name: DnDex-Auth
+      in: cookie
+
+security:
+- {}
+- token: []