diff --git a/Setting-up-Authentication.md b/Setting-up-Authentication.md
index 65c86d3..3e908df 100644
--- a/Setting-up-Authentication.md
+++ b/Setting-up-Authentication.md
@@ -207,7 +207,7 @@ curl -X 'GET' \
 
 > [!CAUTION]
 > We recommend sticking to header-based authentication and not using this method unless you deeply understand the CSRF/CORS security risks.
-> This method is mostly useful when testing API requests from the browser devtools, as it lets you skip having to pass an API key with every request.
+> This method is mostly useful when testing API requests from the browser devtools or CLI tools, as it lets you skip having to pass an API key with every request.
 
 > Browsers enforce that requests made to the ArchiveBox API from *other domains* will not include any session cookies by default. This is is an [important security principle](https://docs.djangoproject.com/en/5.0/ref/csrf/) that protects you from API requests being initiated from JS served to users on websites you don't control (aka CSRF/CORS attacks).