diff --git a/keymanager-oapi.yaml b/keymanager-oapi.yaml
index 79c81b2..a5708e5 100644
--- a/keymanager-oapi.yaml
+++ b/keymanager-oapi.yaml
@@ -12,11 +12,12 @@ info:
     All requests by default send and receive JSON, and as such should have either or both of the "Content-Type: application/json"
     and "Accept: application/json" headers.
 
-    All sensitive routes are to be authenticated with a token. This token should be provided by the user via a secure channel:
-      - Log the token file path to stdout when running the binary with the key manager API enabled
-      - Read the token from a file available to the binary, the path to the token file should be configurable
-      - If the token file does not exist or is empty, generate a new token and write it to the file
-      - The token should remain the same across multiple restarts of the binary
+    All sensitive routes MUST be authenticated with a token.
+
+    The keymanager binary SHOULD accept a configuration parameter: `token-file`, which designates a file containing the hex-encoded token
+    of at least 256 bits. If such a parameter is not given, the client SHOULD generate such a token and write it to a file, to be reused
+    across multiple restarts of the binary. If such a parameter is given, but the file or token cannot be read, the client SHOULD treat this
+    as an error: either abort the startup, or show the error and continue without exposing the keymanager routes.
   version: "v1.0.0"
   contact:
     name: Ethereum Github