diff --git a/doc/webauth.md b/doc/webauth.md
index 42a847b9..0e8c4ce5 100644
--- a/doc/webauth.md
+++ b/doc/webauth.md
@@ -177,6 +177,7 @@ The flags are also comma separated values. Currently, the followings flag that a
* hidden-webview Starts the webview in hidden mode. See the web auth section for more details
* external Indicates that an internal webivew should NOT be used but instead a normal
browser is to be used.
+ * internal Indicates that the internal webview should be used if possible
In general websites should also report ovpn-webauth without `embedded=true` parameter to allow
clients without internal browser support to craft a url to open in an external browser that
@@ -329,6 +330,24 @@ User is not enrolled through the WEB client yet:
You must enroll this user in Authenticator first before you are allowed to retrieve a connection profile. (9008)
+Webauth fallback
+----------------
+This is used when the server is configured to use username/password as general
+authentication method but some users are setup to used the web based
+authentication method. Should a user that requires web based try to authenticate
+instead it will report an error:
+
+
+ Authorization Required
+ REST method failed
+ Ovpn-WebAuth: providername,flags
+
+
+The format and meaning of the Ovpn-WebAuth is identical to the one used in the
+detection of web based profile download. If the client encounters this error it
+should offer the user to continue to the import using the web based profile
+download method.
+
Challenge/response authentication
---------------------------------
The challenge/response protocol for the Rest web api mirrors the approach