diff --git a/README.md b/README.md
index abc56d3..b047c38 100644
--- a/README.md
+++ b/README.md
@@ -12,3 +12,17 @@
 - classify users as spam/not spam. Right now the classification is stored
   locally in `db.json`, no concrete action is taken. (Ultimately we will want to
   lock/delete accounts, etc.)
+
+## Todos
+
+- take concrete actions for spam accounts: lock the account, send a warning
+  email, then delete+purge account after some time.
+- allow changing the classification of already-classified users
+- periodically refresh the database of users from forgejo, and merge them with
+  the local db, handling updates in users data (triggering re-classification if
+  needed)
+- properly handle concurrent clients of the webapp (and handle classification
+  conflicts)
+- add backend to store data on garage instead of local files
+- replate the `api_token` file with a better mechanism: oauth maybe?
+- improve error handling