diff --git a/docs/0_index.md b/docs/0_index.md
index e724e0f8..860ba372 100644
--- a/docs/0_index.md
+++ b/docs/0_index.md
@@ -21,3 +21,12 @@ A list of changes can be seen in the [CHANGELOG]({{ site.gitweb }}/CHANGELOG.md)
 ## Architecture
 
 ![OAuth2 Proxy Architecture](https://cloud.githubusercontent.com/assets/45028/8027702/bd040b7a-0d6a-11e5-85b9-f8d953d04f39.png)
+
+## Behavior
+
+1. Any request passing through the proxy (and not matched by `--skip-auth-regex`) is checked for the proxy's session cookie (`--cookie-name`) (or, if allowed, a JWT token - see `--skip-jwt-bearer-tokens`). 
+2. If authentication is required but missing then the user is asked to log in and redirected to the authentication provider (unless it is an Ajax request, i.e. one with `Accept: application/json`, in which case 401 Unauthorized is returned)
+3. After returning from the authentication provider, the oauth tokens are stored in the configured session store (cookie, redis, ...) and a cookie is set
+4. The request is forwarded to the upstream server with added user info and authentication headers (depending on the configuration)
+
+Notice that the proxy also provides a number of useful [endpoints](/oauth2-proxy/endpoints).