diff --git a/node.js/authentication.md b/node.js/authentication.md
index 8d76c5911..2a1675605 100644
--- a/node.js/authentication.md
+++ b/node.js/authentication.md
@@ -369,6 +369,28 @@ npm add @sap/xssec
 ```
 :::
 
+#### Token Validation
+
+For tokens issued by SAP Cloud Identity Service, `@sap/xssec` offers two additional validations: (1) token ownership via x5t thumbprint and (2) proof-of-possession.
+These validations are enabled by default for requests to the app's `cert` route (`.cert` segment in the domain).
+
+The default behavior can be overwritten using additional configuration as follows:
+
+```json
+"requires": {
+  "auth": {
+    "kind": "ias",
+    "config": { // passed to @sap/xssec as is
+      "validation": {
+        "x5t": { "enabled": false },
+        "proofToken": { "enabled": false }
+      }
+    }
+  }
+}
+```
+
+Please see [`@sap/xssec` documentation](https://www.npmjs.com/package/@sap/xssec) for more details.
 
 ### Custom Authentication { #custom }