diff --git a/packages/backend/src/server/oauth/OAuth2ProviderService.ts b/packages/backend/src/server/oauth/OAuth2ProviderService.ts
index 4a07758796..c2a57adb3c 100644
--- a/packages/backend/src/server/oauth/OAuth2ProviderService.ts
+++ b/packages/backend/src/server/oauth/OAuth2ProviderService.ts
@@ -26,7 +26,9 @@ import { LoggerService } from '@/core/LoggerService.js';
 import Logger from '@/logger.js';
 import type { FastifyInstance } from 'fastify';
 
-// https://indieauth.spec.indieweb.org/#client-identifier
+// Follows https://indieauth.spec.indieweb.org/#client-identifier
+// This is also mostly similar to https://developers.google.com/identity/protocols/oauth2/web-server#uri-validation
+// although Google has stricter rule.
 function validateClientId(raw: string): URL {
 	// Clients are identified by a [URL].
 	const url = ((): URL => {