Actually make it part of the store, not the get

README.md

@@ -290,14 +290,13 @@ let credential = await navigator.credentials.get({
         origin: "https://login.idp.net",
         loginURL: "https://bounce.example.com/?u=https://login.idp.net/login.html?r=https://rp.net/",
         loginTarget: "redirect",
-        tokenURL: "https://auth.login.net/api/v1/refresh_token",
       },
     ]
   }
 });
 ```
 
-This example shows the use perfect for a "Log in with Foo" button, where one identity provider is presented, and if the user has not already logged in, they may be redirected to that provider's login page. This redirect behavior is only permitted when there is only one provider in the list. A provider with `loginURL` field indicates that this is the expected mode. If `loginURL` is present, but `origin` is not, its value can be inferred as the origin of the link. Regardless of how it gets there, when the credential is to be returned to the user, if it is present the browser fetches the `tokenURL` (which must be in the same origin as `origin`) with unpartitioned cookies to populate the `Credential`'s `token` member. 
+This example shows the use perfect for a "Log in with Foo" button, where one identity provider is presented, and if the user has not already logged in, they may be redirected to that provider's login page. This redirect behavior is only permitted when there is only one provider in the list. A provider with `loginURL` field indicates that this is the expected mode. If `loginURL` is present, but `origin` is not, its value can be inferred as the origin of the link.
 
 Another use example, provided below, shows how to request a credential from one of many IDPs the user may have already linked to this page.
 
@@ -377,6 +376,7 @@ let cred = await navigator.credentials.create({
     effectiveOrigins: ["https://rp1.biz", "https://rp2.info"], // optional
     effectiveQueryURL: "https://api.login.idp.net/v1/foo", // optional
     effectiveType: "example-string-to-match", // optional
+    tokenURL: "https://auth.login.net/api/v1/refresh_token", // optional
   }
 });
 await navigator.credentials.store(cred);
@@ -386,6 +386,8 @@ This allows the identity provider to be used without a redirect flow if the user
 
 This reduces the need for NASCAR pages. Since we allow identity providers to declare themselves and several that are unlinked to be included in the same credential chooser, we remove the need for NASCAR pages where a user has visited the identity provider before. In those cases where there are no registered identity providers or there are none that are acceptable to a user, the relying party can show fallback content that presents a set of candidate identity providers. Because the choice is not shown to users until obtaining a credential is unsuccessful, the added complexity of the interface might be easier for sites to manage.
 
+Additionally, by if a `tokenURL` is storeed on the credential, when the credential is to be returned to the user, if it is present the browser fetches the `tokenURL` with the identity provider's unpartitioned cookies to populate the returned `Credential`'s `token` member.
+
 ## Identity Provider API, Attaching Account Information to a Credential
 
 We add optional fields to facilitate the user's selection of the credential from the credential chooser. These match the fields in the `CredentialDataMixin` from the `Credential Management Level 1` spec.