diff --git a/readme.md b/readme.md
index 12d5e604..d3955d41 100644
--- a/readme.md
+++ b/readme.md
@@ -14,9 +14,9 @@
 
 ## Required Server Security
 
-There are a few critical security measures that **MUST** be taken when running this PayID server implementation.
+Here are several critical security measures you MUST implement when running this PayID server implementation:
 
-### TLS
+### TLS (Transport Layer Security)
 
 TLS is a **requirement** for PayID. This PayID server implementation does not include TLS out-of-the-box, so it must be configured.
 
@@ -24,6 +24,10 @@ For instructions on configuring TLS with an NGINX reverse proxy for PayID, go [h
 
 For PayID security best practices, go [here](https://dev.docs.payid.org/docs/payid-best-practices).
 
+### Private API
+
+The Private API does not currently include authentication. Therefore, this API MUST only be exposed to trusted IP ranges, and MUST NOT be exposed publicly.
+
 ## 4. PayID integration and the PayID APIs
 
 You can deploy your own PayID server and then create PayIDs for your users using the PayID Private API. You can also query and modify this list of users. This API should be exposed internally only, so that only your company's systems can update PayID mappings.