diff --git a/website/source/docs/auth/app-id.html.md b/website/source/docs/auth/app-id.html.md
index 111d0a6f9f..6fdfcc9bbc 100644
--- a/website/source/docs/auth/app-id.html.md
+++ b/website/source/docs/auth/app-id.html.md
@@ -79,14 +79,15 @@ example is shown below, use `vault help` for more details.
 $ vault write auth/app-id/map/app-id/foo value=root display_name=foo
 ...
 
-$ vault write auth/app-id/map/user-id/bar value=foo
+$ vault write auth/app-id/map/user-id/bar value=foo cidr_block=10.0.0.0/16
 ...
 ```
 
 The above creates an App ID "foo" that associates with the policy "root".
 The `display_name` sets the display name for audit logs and secrets.
 Next, we configure the user ID "bar" and say that the user ID bar
-can be paired with "foo".
+can be paired with "foo" but only in client is in the "10.0.0.0/16" CIDR block.
+The `cidr_block` configuration is optional.
 
 This means that if a client authenticates and provide both "foo" and "bar",
 then the app ID will authenticate that client with the policy "root".