diff --git a/src/github.com/matrix-org/dendrite/clientapi/auth/auth.go b/src/github.com/matrix-org/dendrite/clientapi/auth/auth.go
index 9670bc2a2..9f350b4b0 100644
--- a/src/github.com/matrix-org/dendrite/clientapi/auth/auth.go
+++ b/src/github.com/matrix-org/dendrite/clientapi/auth/auth.go
@@ -30,6 +30,10 @@ import (
 )
 
 // UnknownDeviceID is the default device id if one is not specified.
+// This deviates from Synapse which generates a new device ID if one is not specified.
+// It's preferable to not amass a huge list of valid access tokens for an account,
+// so limiting it to 1 unknown device for now limits the number of valid tokens.
+// Clients should be giving us device IDs.
 var UnknownDeviceID = "unknown-device"
 
 // OWASP recommends at least 128 bits of entropy for tokens: https://www.owasp.org/index.php/Insufficient_Session-ID_Length