diff --git a/evolution/naming-conventions.md b/evolution/naming-conventions.md
index 755929c..f56ca04 100644
--- a/evolution/naming-conventions.md
+++ b/evolution/naming-conventions.md
@@ -80,7 +80,7 @@ Every HTTP Header should use `Hyphenated-Pascal-Case`. A custom HTTP Header **SH
 #### Example
 
 ```
-ORDER-METADATA-HEADER: 42
+Order-Metadata-Header: 42
 ```
 
 
diff --git a/execution/authentication.md b/execution/authentication.md
index 545b535..df3b745 100644
--- a/execution/authentication.md
+++ b/execution/authentication.md
@@ -1,2 +1,16 @@
 # Authentication
-_TODO_
\ No newline at end of file
+
+Every API exposed outside of the adidas network **MUST** be available to authenticated clients only. Every unauthenticated HTTP request to exposed API **MUST** result in the **403 – Forbidden** HTTP Status code.
+
+There are two was how to authenticate a call to an API: 
+
+1. OAuth2 token
+1. API key
+
+# OAuth 2 Token
+Every API that requires user authentication or authorization **MUST** use OAuth 2 tokens to authenticate the user.
+
+## API Key
+If an API doesn't need to authorize users the API **MAY** use simple API token instead of the OAuth 2 token. The key **MUST** be provided in the `Adidas-API-Key` HTTP header.
+
+