From ca8a3698ea865e2621b71847a91025c375f5ca33 Mon Sep 17 00:00:00 2001
From: Mike Helmick <helmick@google.com>
Date: Tue, 1 Dec 2020 17:05:02 -0800
Subject: [PATCH] update docs around sending chaff requests

---
 docs/api.md | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/docs/api.md b/docs/api.md
index ca7594987..6717103a4 100644
--- a/docs/api.md
+++ b/docs/api.md
@@ -314,13 +314,28 @@ past).
 
 In addition to "real" requests, the server also accepts chaff (fake) requests.
 These can be used to obfuscate real traffic from a network observer or server
-operator. To initiate a chaff request, set the `X-Chaff` header on your request:
+operator. 
+
+Chaff requests:
+
+* MUST resent the `X-API-Key` header with a valid API key (oterwise you will
+  get an authorized error)
+* MUST be sent via a `POST` requesxt, otherwise you will get an invalid method
+  error
+* SHOULD send a valid JSON body with padding out to the same size as the rest
+  of the client requests so that chaff requests appear the same size
+  on the wire as valid requests.
+
+To initiate a chaff request, set the `X-Chaff` header on your request:
 
 ```sh
-curl https://example.encv.org/api/endpoint \
+curl https://apiserver.example.com/api/verify \
+  --header "x-api-key: YOUR-API-KEY" \
   --header "content-type: application/json" \
   --header "accept: application/json" \
-  --header "x-chaff: 1"
+  --header "x-chaff: 1" \
+  --request POST \
+  --data '{"padding":"base64 encoded padding"}'
 ```
 
 The client should still send a real request with a real request body (the body