diff --git a/README.md b/README.md
index 3b5bfb6..ac4f932 100644
--- a/README.md
+++ b/README.md
@@ -125,7 +125,7 @@ Proxy Server: AWS US West Oregon (us-west-2)
   "acl": "my_list.acl", // See ACL below
   "obfs": "AMOGUS", // Obfuscation password
   "auth": { // Authentication
-    "mode": "password", // Mode, only supports "password" and "none" for now
+    "mode": "password", // Mode, supports "password" "none" and "external" for now
     "config": {
       "password": "yubiyubi"
     }
@@ -136,6 +136,42 @@ Proxy Server: AWS US West Oregon (us-west-2)
 }
 ```
 
+#### External authentication integration
+
+If you are a commercial proxy provider, you may want to connect Hysteria to your own authentication backend.
+
+```json5
+{
+  // ...
+  "auth": {
+    "mode": "external",
+    "config": {
+      "http": "https://api.example.com/auth" // Both HTTP and HTTPS are supported
+    }
+  }
+}
+```
+
+For the above config, Hysteria sends a POST request to `https://api.example.com/auth` upon each client's connection:
+
+```json5
+{
+  "addr": "111.222.111.222:52731",
+  "payload": "[BASE64]", // auth or auth_str of the client
+  "send": 12500000, // Negotiated server send speed for this client (Bps)
+  "recv": 12500000 // Negotiated server recv speed for this client (Bps)
+}
+```
+
+The endpoint must return results with HTTP status code 200 (even if the authentication failed):
+
+```json5
+{
+  "ok": false,
+  "msg": "No idea who you are"
+}
+```
+
 ### Client
 
 ```json5
diff --git a/README.zh.md b/README.zh.md
index 1d28e91..1ba74a6 100644
--- a/README.zh.md
+++ b/README.zh.md
@@ -100,7 +100,7 @@ Hysteria 是专门针对恶劣网络环境（常见于卫星网络、在中国
 
 ## 高级用法
 
-### Server
+### 服务器
 
 ```json5
 {
@@ -124,7 +124,43 @@ Hysteria 是专门针对恶劣网络环境（常见于卫星网络、在中国
 }
 ```
 
-### Client
+#### 接入外部验证
+
+如果你是商业代理服务提供商，可以这样把 Hysteria 接入到自己的验证后端：
+
+```json5
+{
+  // ...
+  "auth": {
+    "mode": "external",
+    "config": {
+      "http": "https://api.example.com/auth" // 支持 HTTP 和 HTTPS
+    }
+  }
+}
+```
+
+对于上述配置，Hysteria 会把验证请求通过 HTTP POST 发送到 `https://api.example.com/auth`
+
+```json5
+{
+  "addr": "111.222.111.222:52731",
+  "payload": "[BASE64]", // 对应客户端配置的 auth 或 auth_str 字段
+  "send": 12500000, // 协商后的服务端最大发送速率 (Bps)
+  "recv": 12500000 // 协商后的服务端最大接收速率 (Bps)
+}
+```
+
+后端必须用 HTTP 200 状态码返回验证结果（即使验证不通过）：
+
+```json5
+{
+  "ok": false,
+  "msg": "No idea who you are"
+}
+```
+
+### 客户端
 
 ```json5
 {