From b8a7ff6e578420395abf5d34af71eabd377f1aba Mon Sep 17 00:00:00 2001
From: Frederik Prijck <frederik.prijck@auth0.com>
Date: Tue, 1 Apr 2025 08:59:04 +0200
Subject: [PATCH] Add note about access-token endpoint to README

---
 README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/README.md b/README.md
index 131bf9c5b..63fd65b33 100644
--- a/README.md
+++ b/README.md
@@ -158,6 +158,9 @@ The SDK mounts 6 routes:
 5. `/auth/access-token`: the route to check the user's session and return an access token (which will be automatically refreshed if a refresh token is available)
 6. `/auth/backchannel-logout`: the route that will receive a `logout_token` when a configured Back-Channel Logout initiator occurs
 
+> [!IMPORTANT]  
+> The `/auth/access-token` route is enabled by default, but is only neccessary when the access token is needed in the client. If this isn't something you need, you can disable this endpoint by setting `enableAccessTokenEndpoint` to `false`.
+
 ## Feedback
 
 ### Contributing