diff --git a/README.md b/README.md
index 483b0c5..cfb14b3 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,8 @@ Subsequent steps in the Action can then access nodes in your Tailnet.
 oauth-client-id and oauth-secret are an [OAuth client](https://tailscale.com/s/oauth-clients/)
 for the tailnet to be accessed. We recommend storing these as
 [GitHub Encrypted Secrets.](https://docs.github.com/en/actions/security-guides/encrypted-secrets)
+Note that any OAuth clients used for this purpose must have the
+[`auth_keys` scope.](https://tailscale.com/kb/1215/oauth-clients#scopes)
 
 tags is a comma-separated list of one or more [ACL Tags](https://tailscale.com/kb/1068/acl-tags/)
 for the node. At least one tag is required: an OAuth client is not associated