diff --git a/website/content/api-docs/auth/kubernetes.mdx b/website/content/api-docs/auth/kubernetes.mdx
index b36eee0990..111bb918eb 100644
--- a/website/content/api-docs/auth/kubernetes.mdx
+++ b/website/content/api-docs/auth/kubernetes.mdx
@@ -146,10 +146,10 @@ entities attempting to login.
   [LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.24/#labelselector-v1-meta). Currently, label selectors with `matchExpressions` are not supported.
   To use label selectors, **Vault must have permission to read namespaces** on the Kubernetes
   cluster. If set with `bound_service_account_namespaces`, the conditions are `OR`ed.
-- `audience` `(string: "")` - Optional Audience claim to verify in the JWT.
+- `audience` `(string: "")` - Audience claim to verify in the JWT. Will be required in Vault 1.21+.
 - `alias_name_source` `(string: "serviceaccount_uid")` - Configures how identity aliases are generated.
   Valid choices are: `serviceaccount_uid` and `serviceaccount_name`.
-  
+
   When you specify `serviceaccount_uid`, Vault uses a machine generated UID from
   the service account as the identity alias name. Using a service account UID is
   both the default and the recommended method as it the more secure option.
diff --git a/website/content/docs/auth/kubernetes.mdx b/website/content/docs/auth/kubernetes.mdx
index 8033c9b1a6..a7432811ed 100644
--- a/website/content/docs/auth/kubernetes.mdx
+++ b/website/content/docs/auth/kubernetes.mdx
@@ -107,9 +107,13 @@ management tool.
       bound_service_account_names=myapp \
       bound_service_account_namespaces=default \
       policies=default \
+      audience=myapp \
       ttl=1h
   ```
 
+  !> **Note:** `audience` will be a required field in Vault 1.21+. This field is used
+  to verify the JWT token's audience claim.
+
   This role authorizes the "myapp" service account in the default
   namespace and it gives it the default policy.