diff --git a/Makefile b/Makefile
index d458959..557f89c 100644
--- a/Makefile
+++ b/Makefile
@@ -16,4 +16,7 @@ build: set-version test
 install: test
 	go install ./cmd/...
 
-.PHONY: install build test format set-version
+doc-images:
+	docker run -v ./:/data plantuml/plantuml "doc"
+
+.PHONY: install build test format set-version doc-images
diff --git a/README.md b/README.md
index bc8d66c..7dc1c1f 100644
--- a/README.md
+++ b/README.md
@@ -239,6 +239,14 @@ curl --cacert cert.pem \
     "https://localhost:4443/api/1/vehicles/$VIN/command/flash_lights"
 ```
 
+The flow to obtain `$TESLA_AUTH_TOKEN`:
+
+![](./doc/authorization.png)
+
+A command's flow through the system:
+
+![](./doc/request_diagram.png)
+
 ### REST API documentation
 
 The HTTP proxy implements the [Tesla Fleet API vehicle command endpoints](https://developer.tesla.com/docs/fleet-api#vehicle-commands).
diff --git a/doc/authorization.png b/doc/authorization.png
new file mode 100644
index 0000000..8e0aff5
Binary files /dev/null and b/doc/authorization.png differ
diff --git a/doc/authorization.puml b/doc/authorization.puml
new file mode 100644
index 0000000..51d6eef
--- /dev/null
+++ b/doc/authorization.puml
@@ -0,0 +1,17 @@
+@startuml
+title Authorization Flow
+"developer.tesla.com" -> "Your Backend": Store Client ID and Client Secret securely
+
+== Obtain a Partner Authentication Token ==
+"Secure Storage" <- "Your Backend": Fetch Client ID and Client Secret
+"Your Backend" -> "Tesla Auth": POST https://auth.tesla.com/oauth2/v3/token
+"Your Backend" <-- "Tesla Auth": {"access_token": "jwt"}
+
+== Obtain a Third-Party Token ==
+"User" -> "Tesla Auth": https://auth.tesla.com/oauth2/v3/authorize
+"User" <-- "Tesla Auth": Redirect URL
+"User" -> "Your Backend": Redirect URL sends token to your backend
+"Your Backend" -> "Tesla Auth": Code Exchange\nPOST https://auth.tesla.com/oauth2/v3/token
+"Your Backend" <-- "Tesla Auth": {"access_token": "jwt"}
+
+@enduml
diff --git a/doc/request_diagram.png b/doc/request_diagram.png
new file mode 100644
index 0000000..3bb4a81
Binary files /dev/null and b/doc/request_diagram.png differ
diff --git a/doc/request_diagram.puml b/doc/request_diagram.puml
new file mode 100644
index 0000000..a1719f2
--- /dev/null
+++ b/doc/request_diagram.puml
@@ -0,0 +1,23 @@
+@startuml
+title Vehicle Commands Proxy
+ 
+"Your Backend" -> "Vehicle Commands Proxy": GET /api/1/vehicles/$VIN/command/flash_lights\n(includes Bearer token)
+activate "Vehicle Commands Proxy"
+"Vehicle Commands Proxy" -> "Vehicle Commands Proxy": Sign command using private key
+ 
+"Vehicle Commands Proxy" -> "Fleet API": Signed command
+activate "Fleet API"
+ 
+"Fleet API" -> Vehicle: Signed command
+activate Vehicle
+Vehicle -> Vehicle: Validate signature\nusing public key
+Vehicle -> Vehicle: Flash Lights
+Vehicle --> "Fleet API": Response
+deactivate Vehicle
+ 
+"Fleet API" --> "Vehicle Commands Proxy": Response
+deactivate "Fleet API"
+ 
+"Vehicle Commands Proxy" --> "Your Backend": Response
+deactivate "Vehicle Commands Proxy"
+@enduml