diff --git a/README.md b/README.md
index c83c949..2279a7d 100644
--- a/README.md
+++ b/README.md
@@ -17,6 +17,28 @@ Inside the tunnel
 The server can run behind a firewall, because it is actually a special HTTP
 client.
 
+## Glossary
+
+- "Tunnel" - The reverse HTTP tunnel between ptth_relay and ptth_server.
+ptth_server connects out to ptth_relay, then ptth_relay forwards incoming
+connections to ptth_server through the tunnel.
+- "Relay" or "Relay server" - The ptth_relay app. This must run on a server
+that can accept incoming HTTP connections.
+- "Server" or "destination server" - The ptth_server app. This should run behind
+a firewall. It will connect out to the relay and accept incoming connections
+through the PTTH tunnel.
+- "Client" - Any client that connects to the relay in order to reach a
+destination server. Admins must terminate TLS between 
+ptth_relay and all clients.
+- "Frontend" - The human-friendly HTTP+HTML interface that ptth_relay either
+serves directly or relays from ptth_server. This interface has no auth by
+default. Admins must provide their own auth in front of ptth_relay. 
+OAuth2 is recommended.
+- "Backend API" - The HTTP API that ptth_server uses to establish the tunnel.
+Noted in the code with the cookie "7ZSFUKGV".
+- "Scraper API" - An optional HTTP API for scraper clients to access ptth_relay and
+the destination servers using machine-friendly auth.
+
 ## How to configure
 
 The server must be configured first so that its tripcode can be registered