diff --git a/content/server-server-api.md b/content/server-server-api.md
index 33fb4952..fd99ba13 100644
--- a/content/server-server-api.md
+++ b/content/server-server-api.md
@@ -295,13 +295,14 @@ The format of the Authorization header is given in
 [RFC7235](https://datatracker.ietf.org/doc/html/rfc7235#section-2.1). In
 summary, the header begins with authorization scheme `X-Matrix`, followed by
 one or more spaces, followed by a comma-separated list of parameters written as
-name=value pairs. The names are case insensitive. The values must be enclosed
-in quotes if they contain characters that are not allowed in `token`s, as defined in
+name=value pairs. The names are case insensitive and order does not matter. The
+values must be enclosed in quotes if they contain characters that are not
+allowed in `token`s, as defined in
 [RFC7230](https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.6); if a
 value is a valid `token`, it may or may not be enclosed in quotes. Quoted
 values may include backslash-escaped characters. When parsing the header, the
-recipient must unescape the characters. That is, a backslash-character pair
-is replaced by the character following the backslash.
+recipient must unescape the characters. That is, a backslash-character pair is
+replaced by the character following the backslash.
 
 For compatibility with older servers, the sender should
 - only include one space after `X-Matrix`,
@@ -322,8 +323,7 @@ The authorization parameters to include are:
   Unauthorized.
 - `key`: the ID, including the algorithm name, of the sending server's key used
   to sign the request
-- `signature`: the signature of the JSON as calculated in step 1.  The
-  signature must be unpadded.
+- `signature`: the signature of the JSON as calculated in step 1.
 
 Unknown parameters are ignored.