diff --git a/README.md b/README.md
index b0b601ed251842ca3d189e805b20427df1ddd84d..1c2dbcce92bfd28775f613a3a38afe5ee244fc31 100644
--- a/README.md
+++ b/README.md
@@ -373,5 +373,44 @@ Assuming you have the `android ndk` in place, you can build the bindings for and
 go get -u golang.org/x/mobile/cmd/gomobile
 gomobile init	
 gomobile bind -x -target android -o mobile/android/obfsvpn.aar ./client/
+```
+## Testing introducer/invite token
+Idea: In a censored environment, the client (code in `bitmask-core`) can use a private proxy to speak with menshen. This communication is also obfuscated using `obfs4`. This repository holds the code of the proxy part.
+
+1) Run the server with `--state`, but without `--persist`. This generates a certificate and caches it to the state directory (`state/obfs4_state.json`). `state/obfs4_bridgeline.txt` shows you the certificate needed for the client side (pinning).
+
+```
+mkdir state/
+go run ./cmd/server --addr 127.0.0.1 --port 4430 --remote 127.0.0.1:8443 --state $(pwd)/state -v
+...
+pea@peabox: cat state/obfs4_bridgeline.txt
+# obfs4 torrc client bridge line
+#
+# This file is an automatically generated bridge line based on
+# the current obfs4proxy configuration.  EDITING IT WILL HAVE
+# NO EFFECT.
+#
+# Before distributing this Bridge, edit the placeholder fields
+# to contain the actual values:
+#  <IP ADDRESS>  - The public IP address of your obfs4 bridge.
+#  <PORT>        - The TCP/IP port of your obfs4 bridge.
+#  <FINGERPRINT> - The bridge's fingerprint.
+
+Bridge obfs4 <IP ADDRESS>:<PORT> <FINGERPRINT> cert=9922C2bKo6PY4iipssMfOH01eb86dcJZD65dPkdL3vJMMGy7h3CLFUDYK3/Udc6tB2h8aQ iat-mode=0
+```
+
+2) Then you can run the proxy and just use the the previously generated certificate. As the client pins the certificate, it's nice to have a persistent certificate.
 
 ```
+go run ./cmd/server --addr 127.0.0.1 --port 4430 --remote 127.0.0.1:8443 --state $(pwd)/state -v --persist
+2024/11/13 10:49:33 Using obfs4 config file: /home/pea/leap/obfsvpn/state/obfs4_state.json
+DEBUG 2024/11/13 10:49:33 kcp: false, hop: false, udp: false, quic: false
+2024/11/13 10:49:33 Listening on 127.0.0.1:4430…
+
+DEBUG 2024/11/13 10:50:08 accepted connection from 127.0.0.1:46398
+2024/11/13 10:50:08 Dialing: 127.0.0.1:8443
+2024/11/13 10:50:08 Obfs4 client: 127.0.0.1:46398
+--> Entering copy loop.
+```
+
+In this case, the proxy is listening on `127.0.0.1:4430` and the upstream menshen instance is listening on `127.0.0.1:8443`. To use/test this code, you need the client side part. It's documented [here](https://0xacab.org/leap/bitmask-core-cli/-/blob/347ed72416e3249bfdccd334e04d32767107e91b/README.md#testing-introducerinvite-code). It's basically a simple `curl` using the proxy+obfs4.