diff --git a/src/doc/specification/Authentication.rst b/src/doc/specification/Authentication.rst
index cf8237f6ae82cf27acb2dd1c56065241f8658ab0..0d3da0e19d357808caa5fe2c9a29166196c5a9b1 100644
--- a/src/doc/specification/Authentication.rst
+++ b/src/doc/specification/Authentication.rst
@@ -71,78 +71,13 @@ To use the cookie, pass it on with later requests:
 Logout
 ~~~~~~
 
-Use the cookie on the ``logout`` resource to invalidate the session:
+The server does not invalidate AuthTokens. They invalidate after they expire of
+when the server is being restartet. Client should just delete their AuthToken
+to 'logout'.
+
+However, in order to remove the AuthToken cookie from the browsers there is a
+convenient resource which will invalidate the cookie (not the AuthToken).
 
 .. code-block:: sh
 
    curl -X GET -b cookie.txt --insecure "https://<SERVER>/logout"  # Now the cookie is invalidated.
-   curl -X GET -b cookie.txt --insecure "https://<SERVER>/Entity/123"  # Should fail with 401 - Unauthorized.
-
-
-Outdated information?
-=====================
-
-The text below may be outdated.
-
-Request Challenge
------------------
-
-* ``GET http://host:port/login?username=$username``
-* ``GET http://host:port/login`` with ``username`` header
-
-**No password is required to be sent over http.**
-
-The request returns an AuthToken with a login challenge as a cookie.
-The AuthToken is a dictionary of the following form:
-
-.. code-block::
-
-   {scope=$scope;
-    mode=LOGIN;
-    offerer=$offerer;
-    auth=$auth
-    expires=$expires;
-    date=$date;
-    hash=$hash;
-    session=$session;
-   }
-
-where
-
-* ``$scope`` :: A uri pattern string. Example: ``{ **/* }``
-* ``$mode`` :: ``ONETIME``, ``SESSION``, or ``LOGIN``
-* ``$offerer`` :: A valid username
-* ``$auth`` :: A valid username
-* ``$expires`` :: A ``YYYY-MM-DD HH:mm:ss[.nnnn]`` date string
-* ``$date`` :: A ``YYYY-MM-DD HH:mm:ss[.nnnn]`` date string
-* ``$hash`` :: A string
-* ``$session`` :: A string
-
-The challenge is solved by concatenating the ``$hash`` string and
-the user's ``$password`` string and calculating the sha512 hash of both.
-Pseudo code:
-
-.. code-block::
-
-   $solution = sha512($hash + sha512($password))
-
-Send Solution
--------------
-
-The old ``$hash`` string in the cookie has to be replaces by ``$solution`` and
- the cookie is to be send with the next request:
-
-``PUT http://host:port/mpidsserver/login``
-
-The server will return the user's entity in the HTTP body, e.g.
-
-.. code-block::
-
-   <Response ...>
-     <User name="$username" ...>
-      ...
-     </User>
-   </Response>
-
-and a new AuthToken with ``$mode=SESSION`` and a new expiration date and so
-on. This AuthToken cookie is to be send with every request.