diff --git a/Security-Configuration.md b/Security-Configuration.md
index 4fafe51..8573f8f 100644
--- a/Security-Configuration.md
+++ b/Security-Configuration.md
@@ -11,14 +11,21 @@ $ weed scaffold -config=security
 #    /etc/seaweedfs/security.toml
 # this file is read by master, volume server, and filer
 
-# the jwt signing key is read by master and volume server
-# a jwt expires in 10 seconds
+# the jwt signing key is read by master and volume server.
+# a jwt defaults to expire after 10 seconds.
 [jwt.signing]
 key = ""
+expires_after_seconds = 10           # seconds
+
+# jwt for read is only supported with master+volume setup. Filer does not support this mode.
+[jwt.signing.read]
+key = ""
+expires_after_seconds = 10           # seconds
 
 # volume server also uses grpc that should be secured.
 
 # all grpc tls authentications are mutual
+# the following ca, cert, key are file locations
 [grpc]
 ca = ""