diff --git a/ecosystem/sep-0045.md b/ecosystem/sep-0045.md
index c866252b5..7758d01dd 100644
--- a/ecosystem/sep-0045.md
+++ b/ecosystem/sep-0045.md
@@ -89,34 +89,38 @@ The authentication flow is as follows:
 1. The **Client** obtains a signature from the **Client Domain Address** for the authorization entry where
    `credentials.address.address` is the **Client Domain Address** if the **Client** included a client domain in the
    request
-1. The **Client** simulates the transaction with the signed authorization entries and verifies the following to ensure
+1. If the **Client** contract's `__check_auth` implementation requires additional signed authorization entries, the
+   **Client** signs those entries as well
+1. The **Client** simulates the transaction with all signed authorization entries and verifies the following to ensure
    the transaction does not have any unintended side effects:
    - The transaction's ledger footprint `read_write` set contains only `contract_data` entries where:
      - The `contract` is the **Client Account** address, and the `key` is `ledger_key_nonce`.
      - The `contract` is the **Home Domain Address**, and the `key` is `ledger_key_nonce`.
      - (Optional) if an authorization entry for the **Client Domain Address** was present in the challenge, the
        `contract` is the **Client Domain Address**, and the `key` is `ledger_key_nonce`.
-1. The **Client** submits the signed authorization entries back to the **Server** using [`token`](#token) endpoint
-1. The **Server** extracts the arguments from the authorization entries returned by the client
-1. The **Server** verifies that the `contract_address` in each authorization entry matches the `WEB_AUTH_CONTRACT_ID`
-   from the **Server**'s `stellar.toml`
-1. The **Server** verifies that the `function_name` in each authorization entry is `web_auth_verify`
-1. The **Server** verifies that the `args` map in each authorization entry match the expected values and are the same
-   across all authorization entries:
-   1. The `account` value matches the **Client Account** address
-   1. The `home_domain` value matches the **Home Domain**
-   1. The `home_domain_address` value matches the **Home Domain Address**
-   1. The `web_auth_domain` value matches the **Server**'s domain
-   1. The `client_domain_address` value matches the **Client Domain Address** if the **Client** included a
-      `client_domain` in the request, otherwise it is not present
-1. (Optional) The **Server** verifies that the `nonce` argument is the same across all authorization entries and is
-   unique
+1. The **Client** submits all signed authorization entries back to the **Server** using [`token`](#token) endpoint
+1. The **Server** verifies there are authorization entries where `contract_address` in each authorization entry matches
+   the `WEB_AUTH_CONTRACT_ID` from the **Server**'s `stellar.toml` and for each authorization entry:
+   1. The **Server** verifies that the `function_name` in each authorization entry is `web_auth_verify`
+   1. The **Server** extracts the arguments from the authorization entries returned by the client
+   1. The **Server** verifies that the `args` map in each authorization entry match the expected values and are the same
+      across all authorization entries:
+      - The `account` value matches the **Client Account** address
+      - The `home_domain` value matches the **Home Domain**
+      - The `home_domain_address` value matches the **Home Domain Address**
+      - The `web_auth_domain` value matches the **Server**'s domain
+      - The `client_domain_address` value matches the **Client Domain Address** if the **Client** included a
+        `client_domain` in the request, otherwise it is not present
+      - (Optional) The **Server** verifies that the `nonce` argument is the same across all authorization entries and is
+        unique
 1. The **Server** verifies that there is an authorization entry where `credentials.address.address` is the **Home Domain
    Address** and contains a valid signature from the **Home Domain Address**
 1. The **Server** verifies that there is an authorization entry where `credentials.address.address` is the **Client
    Account** address
 1. The **Server** verifies that there is an authorization entry where `credentials.address.address` is the **Client
    Domain Address** if the arguments included a `client_domain_address`
+1. The **Server** does not validate any additional authorization entries that the **Client** may have included in the
+   request
 1. The **Server** constructs a transaction with a single Invoke Host Function operation where the contract address is
    `WEB_AUTH_CONTRACT_ID` and the function is `web_auth_verify` using the previously extracted arguments and the
    authorization entries returned by the client
@@ -247,18 +251,18 @@ by the server):
 To validate the challenge transaction the following steps are performed by the **Server**. If any of the listed steps
 fail, then the authentication request must be rejected — that is, treated by the **Server** as an invalid input.
 
-1. Extract the arguments from the authorization entries returned by the client;
-1. Verify that the `contract_address` in each authorization entry matches the `WEB_AUTH_CONTRACT_ID` from the
-   **Server**'s `stellar.toml`;
-1. Verify that the `function_name` in each authorization entry is `web_auth_verify`;
-1. Verify that the `args` in each authorization entry match the expected values and is the same across all authorization
-   entries:
-   1. The `home_domain` value matches the **Home Domain**;
-   1. The `home_domain_address` value matches the **Home Domain Address**;
-   1. The `web_auth_domain` value matches the **Server**'s domain;
-   1. The `client_domain` is present if `client_domain_address` is present;
-   1. The `client_domain_address` value matches the **Client Domain Address** if `client_domain` is present;
-1. (Optional) Verify that the `nonce` argument is the same across all authorization entries and is valid;
+1. Verify there are authorization entries where `contract_address` in each authorization entry matches the
+   `WEB_AUTH_CONTRACT_ID` from the **Server**'s `stellar.toml` and for each authorization entry;
+   1. Verify that the `function_name` in each authorization entry is `web_auth_verify`;
+   1. Extract the arguments from the authorization entries returned by the client;
+   1. Verify that the `args` in each authorization entry match the expected values and is the same across all
+      authorization entries:
+      - The `home_domain` value matches the **Home Domain**;
+      - The `home_domain_address` value matches the **Home Domain Address**;
+      - The `web_auth_domain` value matches the **Server**'s domain;
+      - The `client_domain` is present if `client_domain_address` is present;
+      - The `client_domain_address` value matches the **Client Domain Address** if `client_domain` is present;
+      - (Optional) Verify that the `nonce` argument is the same across all authorization entries and is valid;
 1. Verify that there is an authorization entry where `credentials.address.address` is the **Home Domain Address** and
    contains a valid signature from the **Home Domain Address**;
 1. Verify that there is an authorization entry where `credentials.address.address` is the **Client Account** address