Add missing section in accounts docs

docs/docs/concepts/foundation/accounts/main.md

@@ -100,7 +100,13 @@ However, this is not required when sitting on the receiving end. A user can dete
 
 ### Authorising actions
 
-TODO
+Account contracts are also expected, though not required by the protocol, to implement a set of methods for authorising actions on behalf of the user. During a transaction, a contract may call into the account contract and request the user authorisation for a given action, identified by a hash. This pattern is used, for instance, for transferring tokens from an account that is not the caller.
+
+When executing a private function, this authorisation is checked by requesting an _auth witness_ from the execution oracle, which is usually a signed message. The RPC Server is responsible for storing these auth witnesses and returning them to the requesting account contract. Auth witnesses can belong to the current user executing the local transaction, or to another user who shared it out-of-band.
+
+However, during a public function execution, it is not possible to retrieve a value from the local oracle. To support authorisations in public functions, account contracts should save in contract storage what actions have been pre-authorised by their owner. 
+
+These two patterns combined allow an account contract to answer whether an action `is_valid` for a given user both in private and public contexts.
 
 ### Encryption and nullifying keys