diff --git a/packages/backend/src/server/oauth/OAuth2ProviderService.ts b/packages/backend/src/server/oauth/OAuth2ProviderService.ts
index c2a57adb3..58b2c9afa 100644
--- a/packages/backend/src/server/oauth/OAuth2ProviderService.ts
+++ b/packages/backend/src/server/oauth/OAuth2ProviderService.ts
@@ -84,6 +84,7 @@ interface ClientInformation {
 	name: string;
 }
 
+// https://indieauth.spec.indieweb.org/#client-information-discovery
 async function discoverClientInformation(httpRequestService: HttpRequestService, id: string): Promise<ClientInformation> {
 	try {
 		const res = await httpRequestService.send(id);
diff --git a/packages/backend/test/e2e/oauth.ts b/packages/backend/test/e2e/oauth.ts
index a9bdfae77..5cd4135fc 100644
--- a/packages/backend/test/e2e/oauth.ts
+++ b/packages/backend/test/e2e/oauth.ts
@@ -553,8 +553,7 @@ describe('OAuth', () => {
 				},
 				body: JSON.stringify({ text: 'test' }),
 			});
-			// XXX: PERMISSION_DENIED is not using kind: 'permission' and gives 400 instead of 403
-			assert.strictEqual(createResponse.status, 400);
+			assert.strictEqual(createResponse.status, 403);
 		});
 	});