SCOPE: document possible need to iterate on auth

SCOPE.md

@@ -67,3 +67,13 @@ Any additional development though would be done within the extension itself. Suc
 If not already explicitly included above, any existing action API modules that are intended for use with other action API modules, such as those provided by MediaWiki core, are excluded from the scope of this specification.
 
 For example the `entityterms` module which can be combined with other MediaWiki page lookups to retrieve terms of a connected entity from something like pageid or category list.
+
+## Acknowledged (possible) need for follow-ups
+
+### Authentication
+
+This proposal envisages authentication through the use of HTTP headers. Clients must be crafted in a way that they are in possession of a token and actively send it as part of the requests they perform.
+
+Authentication through cookies is not supported in this proposal and client software can not passively rely on a user agent to maintain login state across requests. This renders [CSRF](https://en.wikipedia.org/wiki/Cross-site_request_forgery) attacks impossible and eliminates the need for "CSRF tokens" to be embedded into request bodies.
+
+This proposal does not elaborate how clients can reach possession of such a token and a decision if an exclusive binding to [OAuth](https://www.mediawiki.org/wiki/OAuth/For_Developers) is desired or feasible in the current state has not been reached.