update wording to allow authorization events to include multiple x tags

buds/01.md

@@ -1,8 +1,6 @@
-BUD-01
-======
+# BUD-01
 
-Server requirements and blob retrieval
---------------------------------------
+## Server requirements and blob retrieval
 
 `draft` `mandatory`
 
@@ -24,6 +22,8 @@ Events MUST have the `content` set to a human readable string explaining to the
 
 All events MUST have a [NIP-40](https://github.com/nostr-protocol/nips/blob/master/40.md) `expiration` tag set to a unix timestamp at which the event should be considered expired.
 
+Authorization events MAY have multiple `x` tags for endpoints that require a sha256 hash.
+
 Example event:
 
 ```json
@@ -35,6 +35,7 @@ Example event:
   "created_at": 1708773959,
   "tags": [
     ["t", "upload"],
+    // Authorization events MAY have multiple "x" tags
     ["x", "b1674191a88ec5cdd733e4240a81803105dc412d6c6708d53ab94fc248f4f553"],
     ["expiration", "1708858680"]
   ],
@@ -69,6 +70,7 @@ For HTTP `4xx` and `5xx` status codes servers MUST repond with `Content-Type: ap
 The `message` field MUST be human readable and should explain the reason for the error. Optionally servers may include other fields for the client with more information about the error
 
 Example Error response:
+
 ```
 HTTP/2 401
 content-type: application/json; charset=utf-8
@@ -97,7 +99,7 @@ The server may optionally require authorization when retrieving blobs from the `
 In this case the server MUST perform additional checks on the authorization event
 
 1. A `t` tag MUST be present and set to `get`
-2. The event MUST contain either a `server` tag containing the full URL to the server or MUST contain an `x` tag with the sha256 of the blob being retrieved
+2. The event MUST contain either a `server` tag containing the full URL to the server or MUST contain at least one `x` tag matching sha256 hash of the blob being retrieved
 
 If the client did not send an `Authorization` header the server must respond with the appropriate HTTP status code `401` (Unauthorized)