diff --git a/src/node/db/SecurityManager.js b/src/node/db/SecurityManager.js
index dbc8d6f6d..d0fc6645a 100644
--- a/src/node/db/SecurityManager.js
+++ b/src/node/db/SecurityManager.js
@@ -30,7 +30,10 @@ var authLogger = log4js.getLogger("auth");
  * This function controlls the access to a pad, it checks if the user can access a pad.
  * @param padID the pad the user wants to access
  * @param sessionCookie the session the user has (set via api)
- * @param token the token of the author (randomly generated at client side, used for public pads)
+ * @param token a random token representing the author, of the form
+ *              t.randomstring_of_lenght_20. The random string is generated by
+ *              the client.
+ *              Used for every pad in the web UI. Not used for the HTTP API.
  * @param password the password the user has given to access this pad, can be null
  * @return {accessStatus: grant|deny|wrongPassword|needPassword, authorID: a.xxxxxx})
  */