diff --git a/README.md b/README.md
index e132badf..53ea0e6d 100644
--- a/README.md
+++ b/README.md
@@ -22,3 +22,8 @@ kubectl apply -f "https://github.com/kubevirt/vm-console-proxy/releases/latest/d
 
 ## API
 See the [API documentation](docs/api.md).
+
+### API Access Permissions
+
+The `token.kubevirt.io:generate` `ClusterRole` can be bound to users or service accounts to give
+them permission to call the API.
diff --git a/docs/api.md b/docs/api.md
index 1caca94b..2ab077a8 100644
--- a/docs/api.md
+++ b/docs/api.md
@@ -44,4 +44,8 @@ KUBERNETES_USER_TOKEN=$(oc whoami -t)
 ### Revoking a token
 Revoking a single token is not possible. 
 All tokens associated with a VM can be revoked by deleting the `ServiceAccount` that was created for generating them.
-It is in the same namespace as the VM, its name is `${VM_NAME}-vnc-access`, and it has `ownerReference` set to the VM. 
\ No newline at end of file
+It is in the same namespace as the VM, its name is `${VM_NAME}-vnc-access`, and it has `ownerReference` set to the VM.
+
+```bash
+kubectl delete serviceaccount --namespace "${VM_NAMESPACE}" "${VM_NAME}-vnc-access"
+```