diff --git a/step-ca/certificate-authority-server-production.mdx b/step-ca/certificate-authority-server-production.mdx
index 029d8ddb..9baf86eb 100644
--- a/step-ca/certificate-authority-server-production.mdx
+++ b/step-ca/certificate-authority-server-production.mdx
@@ -554,6 +554,12 @@ There's a few things you should know before you deploy this setup:
   (or set `STEP_MTLS` to `false`).
   This will trigger an alternative renewal flow that employs authentication tokens.
   (See `step ca renew --help` for more details.)
+- The authentication token is a JWT that contains the CA URL in its audience claim. 
+  The CA expects the audience to match one of its configured DNS names.
+  If your proxy server is available on a different domain than your CA, 
+  your CA needs to be configured to have the domain of your proxy server
+  as one of its DNS names in the `dnsNames` property in `ca.json`.
+  (See [configuration options](./configuration.mdx#basic-configuration-options) for more details.)
 - By design, `step-ca` does not have an option to run in HTTP only.
   Philosophically, we value perimeterless security
   and we believe people should use encryption everywhere.