diff --git a/doc/authentication.md b/doc/authentication.md
index ac992ae..a9a2963 100644
--- a/doc/authentication.md
+++ b/doc/authentication.md
@@ -1,6 +1,11 @@
 # Authentication
 
-Zap supports both Basic and Bearer authentication. 
+Zap supports both Basic and Bearer authentication which are based on HTTP
+headers.
+
+For a cookie-based ("session token", not to mistake for "session cookie")
+authentication, see the [UserPassSessionAuth](../src/http_auth.zig#L312) and its
+[example](../examples/userpass_session_auth/).
 
 For convenience, Authenticator types exist that can authenticate requests.