diff --git a/README.md b/README.md
index 6d59e48..9db06b4 100644
--- a/README.md
+++ b/README.md
@@ -39,6 +39,20 @@ To authenticate `ghtool` with GitHub API, run:
ght login
```
+#### On required permissions
+
+The tool currently uses Github's OAuth device flow to authenticate users. To
+access workflow job logs through OAuth, which lacks fine-grained permissions,
+[the repo scope is required][job-logs-docs], granting scary amount of
+permissions. Github App auth flow enables more fine grained permissions, but
+doesn't seem to work1 in the case where someone else than you owns the
+repository that is queried. Incidentally, the official GitHub CLI, which I used
+as reference, also uses OAuth flow with the `repo` scope and more
+([link](https://github.com/raine/ghtool/assets/11027/c5b86639-07d0-4737-a2bc-519ead2f3b9f)).
+Feel free to reach out through issues if you know how to improve this.
+
+1: foo
+
## Usage
The tool is installed as executable `ght` for ease of use.
@@ -171,10 +185,6 @@ $ NODE_ENV=test node ./node_modules/.bin/jest src/moduleA.test.ts src/moduleB.te
https://github.com/raine/ghtool/assets/11027/13a012ac-a854-48a0-b514-9fcbd02c02aa
-[crates-badge]: https://img.shields.io/crates/v/ghtool.svg
-[crates-url]: https://crates.io/crates/ghtool
-[build-badge]: https://github.com/raine/ghtool/actions/workflows/rust.yml/badge.svg
-
## Changelog
## Unreleased
@@ -185,3 +195,8 @@ https://github.com/raine/ghtool/assets/11027/13a012ac-a854-48a0-b514-9fcbd02c02a
- Renamed `typecheck` command to `build`.
- Renamed `tests` command to `test`.
+
+[crates-badge]: https://img.shields.io/crates/v/ghtool.svg
+[crates-url]: https://crates.io/crates/ghtool
+[build-badge]: https://github.com/raine/ghtool/actions/workflows/rust.yml/badge.svg
+[job-logs-docs]: https://docs.github.com/en/rest/actions/workflow-jobs?apiVersion=2022-11-28#download-job-logs-for-a-workflow-run