diff --git a/auth/request_example_test.go b/auth/request_example_test.go
new file mode 100644
index 0000000..626fc08
--- /dev/null
+++ b/auth/request_example_test.go
@@ -0,0 +1,35 @@
+package auth_test
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/therootcompany/golib/auth"
+)
+
+// exampleCreds is a toy BasicAuthenticator used only in the example below.
+type exampleCreds struct{}
+
+func (exampleCreds) Authenticate(username, password string) (auth.BasicPrinciple, error) {
+	return nil, fmt.Errorf("not implemented")
+}
+
+// ExampleRequestAuthenticator shows the typical usage pattern.
+// Build a RequestAuthenticator once (at startup), attach your credential
+// store as the Authenticator, then call Authenticate in each handler.
+// Call Challenge before writing a 401 so the browser knows which scheme
+// to offer.
+func ExampleRequestAuthenticator() {
+	ra := auth.NewRequestAuthenticator()
+	ra.Authenticator = exampleCreds{} // swap in your real credential store
+
+	http.HandleFunc("/api/", func(w http.ResponseWriter, r *http.Request) {
+		principle, err := ra.Authenticate(r)
+		if err != nil {
+			ra.Challenge(w) // sets WWW-Authenticate: Basic
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+		fmt.Fprintf(w, "hello %s", principle.ID())
+	})
+}
diff --git a/cmd/smsapid/main.go b/cmd/smsapid/main.go
index e123a5e..372b240 100644
--- a/cmd/smsapid/main.go
+++ b/cmd/smsapid/main.go
@@ -186,7 +186,7 @@ func parseSinceLimit(r *http.Request) (time.Time, int) {
 		}
 	}
 
-	limit := 10000
+	limit := 10_000
 	if l := r.URL.Query().Get("limit"); l != "" {
 		if n, err := strconv.Atoi(strings.ReplaceAll(l, "_", "")); err == nil && n > 0 {
 			limit = n