diff --git a/CHANGELOG.md b/CHANGELOG.md
index eab0c55..543a1d8 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.3.4
+
+- Bug fixes in `.flask_sqlalchemy`
+
 ## 0.3.3
 
 - Fixed leftovers in `snowflake` module from unchecked code copying — i.e. `SnowflakeGen.generate_one()` used to require an unused typ= parameter
diff --git a/src/suou/flask_sqlalchemy.py b/src/suou/flask_sqlalchemy.py
index 6af4cec..7cd5b41 100644
--- a/src/suou/flask_sqlalchemy.py
+++ b/src/suou/flask_sqlalchemy.py
@@ -35,7 +35,8 @@ class FlaskAuthSrc(AuthSrc):
     def get_session(self) -> Session:
         return self.db.session
     def get_token(self):
-        return request.authorization.token
+        if request.authorization:
+            return request.authorization.token
     def get_signature(self) -> bytes:
         sig = request.headers.get('authorization-signature', None)
         return want_bytes(sig) if sig else None
@@ -51,6 +52,9 @@ def require_auth(cls: type[DeclarativeBase], db: SQLAlchemy) -> Callable[Any, Ca
     This looks for a token in the Authorization header, validates it, loads the
     appropriate object, and injects it as the user= parameter.
 
+    NOTE: the actual decorator to be used on routes is **auth_required()**,
+    NOT require_auth() which is the **constructor** for it.
+
     cls is a SQLAlchemy table.
     db is a flask_sqlalchemy.SQLAlchemy() binding.