diff --git a/website/source/api/secret/identity/tokens.html.md b/website/source/api/secret/identity/tokens.html.md
index d32ec2e5b6..d13ac9494e 100644
--- a/website/source/api/secret/identity/tokens.html.md
+++ b/website/source/api/secret/identity/tokens.html.md
@@ -91,7 +91,9 @@ This endpoint creates or updates a named key which is used by a role to sign tok
 
 - `verification_ttl` `(int or time string: "24h")` - Controls how long the public portion of a signing key will be available for verification after being rotated.
 
-- `algorithm` `(string: "RS256")` - Signing algorithm to use. This will default to `"RS256"`, and is currently the only allowed value.
+- `allowed_client_ids` `(list: [])` - Array of role client ids allowed to use this key for signing. If empty, no roles are allowed. If "*", all roles are allowed.
+
+- `algorithm` `(string: "RS256")` - Signing algorithm to use. Allowed values are: RS256 (default), RS384, RS512, ES256, ES384, ES512, EdDSA.
 
 ### Sample Payload
 
diff --git a/website/source/docs/secrets/identity/index.html.md b/website/source/docs/secrets/identity/index.html.md
index 55bd0ddd65..1aee17a18f 100644
--- a/website/source/docs/secrets/identity/index.html.md
+++ b/website/source/docs/secrets/identity/index.html.md
@@ -167,12 +167,17 @@ verify the signature. Key are regularly rotated, whereby a new key pair is
 generated and the previous _public_ key is retained for a limited time for
 verification purposes.
 
-A named key's configuration specifies a rotation period, a verification ttl, and
-signing algorithm. Rotation period specifies the frequency at which a new
-signing key is generated and the private portion of the previous signing key is
-deleted. Verification ttl is the time a public key is retained for verification,
-after being rotated. By default, keys are rotated every 24 hours, and continue
-to be available for verification for 24 hours after their rotation.
+A named key's configuration specifies a rotation period, a verification ttl,
+signing algorithm and allowed client IDs. Rotation period specifies the
+frequency at which a new signing key is generated and the private portion of the
+previous signing key is deleted. Verification ttl is the time a public key is
+retained for verification, after being rotated. By default, keys are rotated
+every 24 hours, and continue to be available for verification for 24 hours after
+their rotation.
+
+A key's list of allowed client IDs limits which roles may reference the key. The
+parameter may be set to `*` to allow all roles. The validity evaluation is made
+when a token is requested, not during configuration.
 
 
 ### Token Contents and Templates