From c29dd690cca1f837ae3e79a8094eb421a30e5fa4 Mon Sep 17 00:00:00 2001
From: Christian Grothoff <christian@grothoff.org>
Date: Mon, 27 Jul 2020 11:10:28 +0200
Subject: fix spec: when which auth form is needed

---
 core/api-merchant.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/core/api-merchant.rst b/core/api-merchant.rst
index 010eebb1..6424b79a 100644
--- a/core/api-merchant.rst
+++ b/core/api-merchant.rst
@@ -1375,8 +1375,8 @@ Payment processing
 
   **Request:**
 
-  :query h_contract=HASH: hash of the order's contract terms (this is used to authenticate the wallet/customer in case $ORDER_ID is guessable). Either this field or *token* is *mandatory*.
-  :query token=TOKEN: *Optional*. Authorizes the request via the claim token that was returned  in the `PostOrderResponse`.  Either this field or *h_contract* is *mandatory*.
+  :query h_contract=HASH: hash of the order's contract terms (this is used to authenticate the wallet/customer in case $ORDER_ID is guessable). Required once an order was claimed.
+  :query token=TOKEN: *Optional*. Authorizes the request via the claim token that was returned  in the `PostOrderResponse`.  Used with unclaimed orders only. Whether token authorization is required is determined by the merchant when the frontend creates the order.
   :query session_id=STRING: *Optional*. Session ID that the payment must be bound to.  If not specified, the payment is not session-bound.
   :query timeout_ms=NUMBER: *Optional.*  If specified, the merchant backend will
     wait up to ``timeout_ms`` milliseconds for completion of the payment before
-- 
cgit v1.2.3