From 75ee49c2127f96cdc7b9aac24308d8d17e9030ee Mon Sep 17 00:00:00 2001
From: Lunny Xiao <xiaolunwen@gmail.com>
Date: Sun, 5 Apr 2026 17:26:55 -0700
Subject: [PATCH] Add comment

---
 routers/api/v1/api.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/routers/api/v1/api.go b/routers/api/v1/api.go
index 364ea51a08..ec9b4c36a0 100644
--- a/routers/api/v1/api.go
+++ b/routers/api/v1/api.go
@@ -979,6 +979,8 @@ func Routes() *web.Router {
 				Get(reqToken(), notify.GetThread).
 				Patch(reqToken(), notify.ReadThread)
 		}, tokenRequiresScopes(auth_model.AccessTokenScopeCategoryNotification), rejectPublicOnly())
+		// notifications API should not be used with public-only tokens, as notifications are mixed with both public and private repositories
+		// if a token is used with notifications API, it should be required to have the notification scope, and the token should not be public-only
 
 		// Users (requires user scope)
 		m.Group("/users", func() {