Updated token mounting docs (#4919)

alicejgibbons · marcduiker · web-flow · commit 02ef0b092bce · 2025-10-20T18:15:34.000+01:00
Signed-off-by: Alice Gibbons &lt;alice@diagrid.io&gt;
Co-authored-by: Marc Duiker &lt;marcduiker@users.noreply.github.com&gt;
diff --git a/daprdocs/content/en/operations/security/api-token.md b/daprdocs/content/en/operations/security/api-token.md
@@ -52,45 +52,12 @@ annotations:
 
 When deployed, Dapr sidecar injector will automatically create a secret reference and inject the actual value into `DAPR_API_TOKEN` environment variable.
 
-## Rotate a token
-
-### Self-hosted
-
-To rotate the configured token in self-hosted, update the `DAPR_API_TOKEN` environment variable to the new value and restart the `daprd` process.
-
-### Kubernetes
-
-To rotate the configured token in Kubernetes, update the previously-created secret with the new token in each namespace. You can do that using `kubectl patch` command, but a simpler way to update these in each namespace is by using a manifest:
-
-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: dapr-api-token
-type: Opaque
-data:
-  token: <your-new-token>
-```
-
-And then apply it to each namespace:
-
-```shell
-kubectl apply --file token-secret.yaml --namespace <namespace-name>
-```
-
-To tell Dapr to start using the new token, trigger a rolling upgrade to each one of your deployments:
-
-```shell
-kubectl rollout restart deployment/<deployment-name> --namespace <namespace-name>
-```
-
-> Assuming your service is configured with more than one replica, the key rotation process does not result in any downtime.
 
 ## Adding API token to client API invocations
 
-Once token authentication is configured in Dapr, all clients invoking Dapr API need to append the `dapr-api-token` token to every request. 
+Once token authentication is configured in Dapr, all clients invoking the Dapr APIs need to append the `dapr-api-token` token to every request.
 
-> **Note:** The Dapr SDKs read the [DAPR_API_TOKEN]({{% ref environment %}}) environment variable and set it for you by default.
+> **Note:** The Dapr SDKs read the [DAPR_API_TOKEN]({{% ref environment %}}) environment variable and set it for you by default, however you still must ensure that your app has access to the environment variable.
 
 <img src="/images/tokens-auth.png" width=800 style="padding-bottom:15px;">
 
@@ -122,15 +89,18 @@ dapr-api-token[0].
 
 ### Kubernetes
 
-In Kubernetes, it's recommended to mount the secret to your pod as an environment variable, as shown in the example below, where a Kubernetes secret with the name `dapr-api-token` is used to hold the token.
+In Kubernetes, it's required to mount the API token on your application pod as an environment variable, when your application is making outbound calls to the Dapr APIs (Service Invocation invoke, Pub/sub publish, etc.), otherwise the request will fail with an `Unauthorized` error. Mounting the environment variable is done by providing the name of the Kubernetes secret in your application pod specification, as shown in the example below, where a Kubernetes secret with the name `dapr-api-token` is used to hold the token.
 
 ```yaml
 containers:
   - name: mycontainer
     image: myregistry/myapp
-    envFrom:
-    - secretRef:
-      name: dapr-api-token
+    env:
+      - name: DAPR_API_TOKEN
+        valueFrom:
+          secretKeyRef:
+            name: dapr-api-token
+            key: token
 ```
 
 ### Self-hosted
@@ -141,6 +111,40 @@ In self-hosted mode, you can set the token as an environment variable for your a
 export DAPR_API_TOKEN=<my-dapr-token>
 ```
 
+## Rotate a token
+
+### Self-hosted
+
+To rotate the configured token in self-hosted, update the `DAPR_API_TOKEN` environment variable to the new value and restart the `daprd` process.
+
+### Kubernetes
+
+To rotate the configured token in Kubernetes, update the previously-created secret with the new token in each namespace. You can do that using `kubectl patch` command, but a simpler way to update these in each namespace is by using a manifest:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: dapr-api-token
+type: Opaque
+data:
+  token: <your-new-token>
+```
+
+And then apply it to each namespace:
+
+```shell
+kubectl apply --file token-secret.yaml --namespace <namespace-name>
+```
+
+To tell Dapr to start using the new token, trigger a rolling upgrade to each one of your deployments:
+
+```shell
+kubectl rollout restart deployment/<deployment-name> --namespace <namespace-name>
+```
+
+> Assuming your service is configured with more than one replica, the key rotation process does not result in any downtime.
+
 ## Related Links
 
 - Learn about [Dapr security concepts]({{% ref security-concept.md %}})
