added documentation for adding domains when using the tunnel

README.md

@@ -370,6 +370,41 @@ tunnel:
     tunnelUrl: 'wss://api.tunnel.example.com/'
 ```
 
+**NOTE**: The more common way to use the tunnel with goldilocks is to use the
+API to have goldilocks get a token from `oauth3.org`. In order to do this you
+will need to have initialized goldilocks with a token that has the `dns` and
+`domains` scopes. This is probably easiest to do with the `daplie-desktop-app`,
+which will also get the first tunnel token for you.
+
+**If you want to add more domains** to handle on your device while using the tunnel
+you will need to manually get a new token that will tell the tunnel server to
+deliver the requests to the new domain(s) to your device. The first step in this
+is to attach the new domains to your device. To get the name of the device you
+can use the `config` API, but it's probably easiest to `ssh` onto the device and
+get the hostname. You can also use the daplie cli tool to see what device name
+your other domains are routed to.
+
+```bash
+# for every new domain you want to route attach the domain to your device
+daplie devices:attach -n $new_domain -d $device_name
+```
+
+After that step you will need to use the API to get goldilocks to get a new token
+that includes the new domains you attached. It is also recommended but not
+required to remove the older token with the incomplete list of domains. Run the
+following commands from the unit.
+
+```bash
+# remove the old token
+rm /opt/goldilocks/lib/node_modules/goldilocks/var/tokens.json
+
+# set the "refresh_token" to a bash variable `token`
+TOKEN=$(python -mjson.tool /opt/goldilocks/lib/node_modules/goldilocks/var/owners.json | sed -n 's|\s*"refresh_token": "\(.*\)",|\1|p')
+
+# tell goldilocks to get a new tunnel token
+curl -H "authorization: bearer $TOKEN" -X POST https://localhost.admin.daplie.me/api/goldilocks@daplie.com/tunnel
+```
+
 ### ddns
 
 TODO