From 77ebba3ccddb806c11ab8910e0934e4f4c6aa138 Mon Sep 17 00:00:00 2001
From: Jessica Chowdhury <67977755+JessChowdhury@users.noreply.github.com>
Date: Tue, 12 Dec 2023 16:27:12 +0000
Subject: [PATCH] docs: adds api key disclaimer (#4390)

---
 docs/authentication/config.mdx | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docs/authentication/config.mdx b/docs/authentication/config.mdx
index 5e1f92bc4..3d167f6b0 100644
--- a/docs/authentication/config.mdx
+++ b/docs/authentication/config.mdx
@@ -45,6 +45,13 @@ To enable API keys on a collection, set the `useAPIKey` auth option to `true`. F
   your API keys will not be.
 </Banner>
 
+<Banner type"warning">
+  <strong>Important:</strong>
+  If you change your `PAYLOAD_SECRET`, you will need to regenerate your API keys.
+  <br />
+  The secret key is used to encrypt the API keys, so if you change the secret, existing API keys will no longer be valid.
+</Banner>
+
 #### Authenticating via API Key
 
 To authenticate REST or GraphQL API requests using an API key, set the `Authorization` header. The header is case-sensitive and needs the slug of the `auth.useAPIKey` enabled collection, then " API-Key ", followed by the `apiKey` that has been assigned. Payload's built-in middleware will then assign the user document to `req.user` and handle requests with the proper access control. By doing this, Payload recognizes the request being made as a request by the user associated with that API key.