From 8cbab3b09f7551b680d3b850d1ec4370a09cedbe Mon Sep 17 00:00:00 2001
From: mickael-hc <86245626+mickael-hc@users.noreply.github.com>
Date: Fri, 1 Mar 2024 12:18:36 -0500
Subject: [PATCH] docs: update proxy auto-auth recommendations (#25746)

* update proxy auto-auth

recommmend 1 proxy per application when using auto-auth

* Update website/content/docs/agent-and-proxy/proxy/apiproxy.mdx

* Update website/content/docs/agent-and-proxy/proxy/apiproxy.mdx

* add feedback from @violethynes

cannot commit the suggestions due to them being marked as "outdated"
---
 .../content/docs/agent-and-proxy/proxy/apiproxy.mdx | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/website/content/docs/agent-and-proxy/proxy/apiproxy.mdx b/website/content/docs/agent-and-proxy/proxy/apiproxy.mdx
index cf5dcae2a6..2d3785a7f9 100644
--- a/website/content/docs/agent-and-proxy/proxy/apiproxy.mdx
+++ b/website/content/docs/agent-and-proxy/proxy/apiproxy.mdx
@@ -55,6 +55,12 @@ configuration will be overridden and the token in the request will be used to
 forward the request to the Vault server. If set to `"force"` Proxy will use the
 auto-auth token, overwriting the attached Vault token if set.
 
+~> **Note**: When using the proxy's auto-auth token with the `use_auto_auth_token` 
+   configuration, one proxy per application is very strongly recommended, as Vault will
+   unable to distinguish requests coming from multiple applications through a single proxy. 
+   In situations where a single proxy is shared by multiple applications, setting `use_auto_auth_token` 
+   to `false` (the default) is recommended.
+
 - `prepend_configured_namespace` `(bool: false)` - If set, when Proxy has a
   namespace configured, such as through the
   [Vault stanza](/vault/docs/agent-and-proxy/proxy#vault-stanza), all requests
@@ -79,7 +85,7 @@ or `"forward"`.
 ### Example configuration
 
 Here is an example of a `listener` configuration alongside `api_proxy` configuration to force the use of the auto_auth token
-and enforce consistency.
+and enforce consistency for a proxy dedicated to a single application.
 
 ```hcl
 # Other Vault Proxy configuration blocks
@@ -90,8 +96,7 @@ api_proxy {
   enforce_consistency = "always"
 }
 
-listener "tcp" {
-    address = "127.0.0.1:8100"
-    tls_disable = true
+listener "unix" {
+    address = "/var/run/vault-proxy.sock
 }
 ```