diff --git a/lxd/events.go b/lxd/events.go
index f91d08b4faea..1a814b5fd8b0 100644
--- a/lxd/events.go
+++ b/lxd/events.go
@@ -61,6 +61,14 @@ func eventsSocket(s *state.State, r *http.Request, w http.ResponseWriter) error
 		}
 	}
 
+	// Notes on authorization for events:
+	// - Checks are currently performed at the project level. Fine-grained auth uses `can_view_events` on the project,
+	//   TLS auth checks if a restricted identity has access to the project against which the event is defined.
+	// - If project "foo" does not have a particular feature enabled, say 'features.networks', if a network is updated
+	//   via project "foo", no events will be emitted in project "foo" relating to the network. They will only be emitted
+	//   in project "default". In order to get all related events, TLS users must be granted access to the default project,
+	//   fine-grained users can be granted `can_view_events` on the default project. Both must call the events API with
+	//   `all-projects=true`.
 	var projectPermissionFunc auth.PermissionChecker
 	if projectName != "" {
 		err := s.Authorizer.CheckPermission(r.Context(), entity.ProjectURL(projectName), auth.EntitlementCanViewEvents)