I have been asked to review this documented on behalf of the Ops Directorate.  This document describes how to use a push-based method (with HTTP POST) to deliver Security Event Tokens (SETs).  Overall, I think this document is ready.  It's easy to read, offers clear examples, and discusses various operational issues such as processing required and mitigation of potential DoS attacks.  In my reading of the document, I did find a few nits or things I think may want a bit more attention:

Section 2:

The phrase "business logic" is nebulous.  It may be sufficient to say, “anything beyond” the required validation steps.  Then you can say further logic to processes SETs SHOULD be executed asynchronously.

===

Section 2.3:

In your error examples, especially the second one, is HTTP 400 always the right error code?  I was thinking 403 in this case.

===

Section 2.4:

Similar to me comment above, should this table have recommended HTTP codes?  I was thinking invalid_request==422, invalid_key==400, authentication_failed==403, and access_denied==403.

===

Section 6:

Typo s/Transmistters/Transmitters/