From db83b78f2d9deeca1caeeaa4bf27b630fab84b53 Mon Sep 17 00:00:00 2001
From: Chris Lu <chrislusf@users.noreply.github.com>
Date: Thu, 6 Jun 2019 00:28:25 -0700
Subject: [PATCH] Updated Security Overview (markdown)

---
 Security-Overview.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/Security-Overview.md b/Security-Overview.md
index eb0f892..8f3985f 100644
--- a/Security-Overview.md
+++ b/Security-Overview.md
@@ -55,4 +55,10 @@ JWT Summary:
 * JWT is valid for 10 seconds.
 * JWT only has permission to create/modify/delete one fileId.
 * The volume server HTTP access is only for read, and only if the fileId is known. There are no way to iterate all files.
-* All other volume server HTTP accesses are disabled when `jwt.signing` is enabled.
\ No newline at end of file
+* All other volume server HTTP accesses are disabled when `jwt.signing` is enabled.
+
+## JWT for Read Access Control
+The volume server can also check JWT for reads. This mode does not work with `weed filer`. But this could be useful if the volume server is exposed to public and you do not want anyone to access it with a URL, e.g., paid content.
+
+* To enable it, set the `jwt.signing.read.key` in `security.toml` file.
+* To obtain a JWT for read, the JWT can be read from the response header `Authorization` of  `http://<master>:<port>/dir/lookup?fileId=xxxxx&read=yes`.
\ No newline at end of file