cs3org · glpatcern · Jan 14, 2026 · Jan 12, 2026 · Jan 12, 2026
diff --git a/IETF-RFC.md b/IETF-RFC.md
@@ -1110,9 +1110,13 @@ protocol required for access.  The procedure is as follows:
 3.1. If it includes `must-exchange-token`, the receiver MUST make a
      signed POST request to the path in the Sending Server’s
      {tokenEndPoint}, to exchange the `protocol.webdav.sharedSecret`
-     token for a short-lived bearer token, and then use that bearer
+     token for a short-lived bearer token, and only use that bearer
      token to access the Resource (See the [Code Flow](#code-flow)
-     section).
+     section).  If the `must-exchange-token` requirement is not present
+     and the Discovery endpoint inspected at step 1. exposes the
+     `token-exchange` capability, the receiver MAY attempt to perform
+     the token exchange as above, but it MUST fall back to the following
+     steps should the process fail.
 3.2. If it includes `must-use-mfa`, the Receiving Server MUST ensure
      that the Receiving Party has been authenticated with MFA, or prompt
      the consumer in order to elevate their session, if applicable.