diff --git a/README.md b/README.md
index 56c527c..a662259 100644
--- a/README.md
+++ b/README.md
@@ -69,8 +69,9 @@ Send it to the user as base64.
 ```php
 <?php
 
-// Generate challenge
-$challenge = $challengeManager->createChallenge();
+// Generate and manage challenge
+$challenge = \Firehed\WebAuthn\ExpiringChallenge::withLifetime(300);
+$challengeManager->manageChallenge($challenge);
 
 // Send to user
 header('Content-type: application/json');
@@ -223,7 +224,9 @@ $_SESSION['authenticating_user_id'] = $user['id'];
 // See examples/functions.php for how this works
 $credentialContainer = getCredentialsForUserId($pdo, $user['id']);
 
-$challenge = $challengeManager->createChallenge();
+// Generate and manage challenge
+$challenge = \Firehed\WebAuthn\ExpiringChallenge::withLifetime(300);
+$challengeManager->manageChallenge($challenge);
 
 // Send to user
 header('Content-type: application/json');
@@ -595,6 +598,7 @@ In the event you find this necessary, you SHOULD open an Issue and/or Pull Reque
 Challenges generated by your server SHOULD expire after a short amount of time.
 You MAY use the `ExpiringChallenge` class for convenience (e.g. `$challenge = ExpiringChallenge::withLifetime(60);`), which will throw an exception if the specified expiration window has been exceeded.
 It is RECOMMENDED that your javascript code uses the `timeout` setting (denoted in milliseconds) and matches the server-side challenge expiration, give or take a few seconds.
+W3C recommends timeouts between 5 and 10 minutes.
 
 > [!NOTE]
 > The W3C specification recommends a timeout in the range of 15-120 seconds.