From 9d4eedcce488bba2a96ae312046790d6ac00ac01 Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Wed, 2 Nov 2016 13:36:32 -0400
Subject: [PATCH] Update unwrap call documentation

---
 .../source/docs/http/sys-wrapping-unwrap.html.md   | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/website/source/docs/http/sys-wrapping-unwrap.html.md b/website/source/docs/http/sys-wrapping-unwrap.html.md
index c30f51b5d..60af8d6f9 100644
--- a/website/source/docs/http/sys-wrapping-unwrap.html.md
+++ b/website/source/docs/http/sys-wrapping-unwrap.html.md
@@ -17,7 +17,14 @@ description: |-
     simply reading `cubbyhole/response` (which is deprecated), this endpoint
     provides additional validation checks on the token, returns the original
     value on the wire rather than a JSON string representation of it, and
-    ensures that the response is properly audit-logged.
+    ensures that the response is properly audit-logged.<br/><br/>This endpoint
+    can be used by using a wrapping token as the client token in the API call,
+    in which case the `token` parameter is not required; or, a different token
+    with permissions to access this endpoint can make the call and pass in the
+    wrapping token in the `token` parameter. Do _not_ use the wrapping token in
+    both locations; this will cause the wrapping token to be revoked but the
+    value to be unable to be looked up, as it will basically be a double-use of
+    the token!
   </dd>
 
   <dt>Method</dt>
@@ -31,8 +38,9 @@ description: |-
     <ul>
       <li>
         <span class="param">token</span>
-        <span class="param-flags">required</span>
-        The wrapping token ID.
+        <span class="param-flags">optional</span>
+        The wrapping token ID; required if the client token is not the wrapping
+        token. Do not use the wrapping token in both locations.
       </li>
     </ul>
   </dd>