diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2ab6111..2721b93 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,7 +7,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## Unreleased
 
-## 0.3.2 - (2023-1-??)
+## 0.4.0 - (2023-1-21)
+
+### Added
+
+- claims checker (stabilisation, tests, documentation)
+
+### Fixed
+
+- added missing WWW-Authenticate header to errors
+
+## 0.3.2 - (2023-1-18)
 
 ### Fixed
 
diff --git a/README.md b/README.md
index edc2f46..c3c83a1 100644
--- a/README.md
+++ b/README.md
@@ -7,7 +7,8 @@ JWT authorizer Layer for Axum.
 - JWT token verification  (Bearer)
 - Claims extraction
 - JWKS endpoint support (with refresh)
-- algoritms: ECDSA, RSA, EdDSA, HS
+- Algoritms: ECDSA, RSA, EdDSA, HS
+- Claims checker
 
 ## Usage
 
diff --git a/jwt-authorizer/docs/README.md b/jwt-authorizer/docs/README.md
index 5dd02d7..5e84851 100644
--- a/jwt-authorizer/docs/README.md
+++ b/jwt-authorizer/docs/README.md
@@ -33,4 +33,31 @@ Example:
     axum::Server::bind(&"0.0.0.0:3000".parse().unwrap())
         .serve(app.into_make_service()).await.expect("server failed");
     # };
-```
\ No newline at end of file
+```
+
+## ClaimsChecker
+
+A check function (mapping deserialized claims to boolean) can be added to the authorizer. 
+
+A check failure results in a 403 (WWW-Authenticate: Bearer error="insufficient_scope") error.
+
+Example:
+
+```rust
+
+    use jwt_authorizer::{JwtAuthorizer};
+    use serde::Deserialize;
+
+    // Authorized entity, struct deserializable from JWT claims
+    #[derive(Debug, Deserialize, Clone)]
+    struct User {
+        sub: String,
+    }
+
+    let authorizer = JwtAuthorizer::new()
+                    .from_rsa_pem("../config/jwtRS256.key.pub")
+                    .with_check(
+                        |claims: &User| claims.sub.contains('@') // must be an email
+                    );
+```
+