diff --git a/README.md b/README.md
index abcd781..cbf420b 100644
--- a/README.md
+++ b/README.md
@@ -34,7 +34,25 @@ The usual instructions on how to setup an https proxy should be followed.
 Access is granting/denied based on realms. There are two reserved
 realms, all other realms can be used by the users:
 
-* ungleich-admin: realm??
+### Reserved realms
+
+Conceptually the realms "ungleich-admin" and "ungleich-auth" are
+reserved for higher priviliged applications.
+
+Usually there is only 1 entry in ungleich-admin that is used to
+bootstrap and manage ungleich-otp.
+
+All micro services that are trusted to authenticate another micro
+service should have an entry in the ungleich-auth realm, which allows
+them to verify a token of somebody else.
+
+
+| Name             | Capabilities                               |
+|------------------+--------------------------------------------|
+| ungleich-admin   | authenticate, create, delete, list, update |
+| ungleich-auth    | authenticate                               |
+| all other realms | NO ACCESS                                  |
+
 
 ## Status ##