diff --git a/docs/request-flow.md b/docs/request-flow.md
index 32bb12192b..ed2d9a6938 100644
--- a/docs/request-flow.md
+++ b/docs/request-flow.md
@@ -10,7 +10,7 @@ geekdocFilePath: request-flow.md
 
 ## Request Flow
 
-The following sequence diagram describes the general request flow:
+The following sequence diagram describes the general request flow. It shows where account provisioning and token minting are happening:
 
 {{< mermaid class="text-center">}}
 sequenceDiagram
@@ -25,51 +25,71 @@ sequenceDiagram
     user->>+client: What is the content of my home?
 
         client->>+proxy: PROPFIND <br> Bearer auth using oidc auth token
-        Note right of client: What is in a bearer token? <br> The spec recommends opaque tokens. <br> So it is just random byte noise.
+        Note over client,proxy: What is in a bearer token? <br> The spec recommends opaque tokens. <br> Treat it as random byte noise.
+        Note over client,proxy: the proxy MUST authenticate users <br> using ocis-accounts because it needs <br> to decide where to send the request
         %% Mention introspection endpoint for opaque tokens
         %% konnectd uses jwt, so we can save a request
         %% either way the token can be used to look up the sub and iss of the user
 
             %% or is token check enough?
             proxy->>+idp: GET /userinfo
-            idp-->>-proxy: JSON response
-            Note right of proxy: the result contains <br> the sub of the user
-            %% see: https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
+            alt userinfo succeeds
 
-            proxy->>+accounts: TODO API call to exchange sub@iss with account UUID
+                idp-->>proxy:  200 OK
+                Note over proxy,accounts: Content-Type: application/json<br>{<br>"sub": "248289761001",<br>"name": "Jane Doe",<br>"given_name": "Jane",<br>"family_name": "Doe",<br>"preferred_username": "j.doe",<br>"email": "janedoe@example.com",<br>"picture": "http://example.com/janedoe/me.jpg"<br>}
+                %% see: https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse
 
-                alt internal account
-                    accounts->>+ldap: is user allowed to use ocis
-                    ldap-->>-accounts: yes/no - group based
-                else guest account
-                    accounts->>accounts: check if is valid guest account
-                end
+            else userinfo fails
 
+                idp-->>-proxy: 401 Unauthorized
+                Note over proxy,accounts: WWW-Authenticate: error="invalid_token",<br>error_description="The Access Token expired"
 
-            accounts-->>-proxy: new or existing account UUID / error
-            Note right of accounts: actually this provisions <br> the account including <br> displayname, email and <br> sub@iss if the user is <br> allowed to login, based <br> on group membership <br> in the ldap server
-
-
-            Note right of proxy: the proxy MUST <br> authenticate users <br> using ocis-accounts <br> because it needs to <br> decide where to <br> send the request
-
-            Note right of proxy: forward request to <br> ocis or oc10
-            %% what if oc10 does not support a certain request / API
-            alt user is migrated
-
-                Note right of proxy: mint an internal jwt <br> token that includes <br> the UUID and username
-                proxy->>+reva: PROPFIND <br> Bearer auth using internal JWT
-                reva-->>-proxy: Multistatus response
-
-            else user is not migrated
-
-                Note right of proxy: forward existing bearer auth?
-                proxy->>+oc10: PROPFIND <br> Bearer auth using internal JWT
-                %% TODO auth using internal token?
-                oc10-->>-proxy: Multistatus response
+        proxy-->>client: 401 Unauthorized or <br>302 Found with redirect to idp
+        Note over client: start at login flow<br> or refresh the token
 
             end
 
+            proxy->>+accounts: TODO API call to exchange sub@iss with account UUID
+            Note over proxy,accounts: does not autoprovision users. They are explicitly provsioned later.
 
+            alt account exists or has been migrated
+
+                accounts-->>proxy: existing account UUID
+            else account does not exist
+
+                opt oc10 endpoint is configured
+                Note over proxy,oc10: Check if user exists in oc10
+                    proxy->>+oc10: GET /apps/graphapi/v1.0/users/<uuid>
+                    opt user exists in oc10
+                        oc10-->>-proxy: 200
+                        %% TODO auth using internal token
+                        proxy->>+oc10: PROPFIND
+                        Note over proxy,oc10: forward existing bearer auth
+                        oc10-->>-proxy: Multistatus response
+            proxy-->>client: Multistatus response
+    client-->>user: List of Files X, Y, Z ...
+                    end
+                end
+
+                Note over proxy,accounts: provision a new account including displayname, email and sub@iss <br> TODO only if the user is allowed to login, based on group <br> membership in the ldap server
+                proxy->>proxy: generate new uuid
+                proxy->>+accounts: TODO create account with new generated uuid
+                accounts-->>-proxy: OK / error
+
+            else account has been disabled
+
+                accounts-->>-proxy: account is disabled
+        proxy-->>client: 401 Unauthorized or <br>302 Found with redirect to idp
+        Note over client: start at login flow<br> or refresh the token
+
+            end
+            proxy->>proxy: store uuid in context
+
+            %% what if oc10 does not support a certain request / API
+
+            proxy->>proxy: mint an internal jwt that includes the UUID and username using revas `x-access-token` header
+            proxy->>+reva: PROPFIND <br>Token auth using internal JWT
+            reva-->>-proxy: Multistatus response
         proxy-->>-client: Multistatus response
 
     client-->>-user: List of Files X, Y, Z ...