diff --git a/docbook/reference/en/en-US/master.xml b/docbook/reference/en/en-US/master.xml
index 0537e1b..ca2a549 100755
--- a/docbook/reference/en/en-US/master.xml
+++ b/docbook/reference/en/en-US/master.xml
@@ -18,6 +18,7 @@
<!ENTITY Migration SYSTEM "modules/MigrationFromOlderVersions.xml">
<!ENTITY Email SYSTEM "modules/email.xml">
<!ENTITY Roles SYSTEM "modules/roles.xml">
+ <!ENTITY Timeouts SYSTEM "modules/timeouts.xml">
]>
<book>
@@ -93,6 +94,7 @@
&Email;
</chapter>
&Roles;
+ &Timeouts;
&Migration;
</book>
diff --git a/docbook/reference/en/en-US/modules/timeouts.xml b/docbook/reference/en/en-US/modules/timeouts.xml
new file mode 100755
index 0000000..133707a
--- /dev/null
+++ b/docbook/reference/en/en-US/modules/timeouts.xml
@@ -0,0 +1,40 @@
+<chapter id="timeouts">
+ <title>Cookie Timeouts and Token Lifespans</title>
+ <para>
+ If you go to the Settings->Token page of the Keycloak adminstration console there is a bunch of fine tuning
+ you can do as far as login session timeouts go.
+ </para>
+ <para>
+ If you turn on the <literal>Remember Me</literal> switch in the admin console, your login pages will show a
+ "Remember Me" checkbox. This will set the central login SSO cookie to be a persistent cookie rather than a session
+ cookie. So, if you close your browser, you may still be logged in if you've checked the "Remember Me" checkbox.
+ </para>
+ <para>
+ The <literal>Central Login Lifespan</literal> sets how long a central login is valid for. When you are redirected
+ to the Keycloak Server for authentication, and you have already logged in, the Keycloak Server will refresh the
+ cookie used to remember you by between visits. So, the lifespan time is reset. If you have "Remember Me"
+ set up, you may want to set this lifespan to be days, weeks, or even months. Usually though you want it long
+ enough so users can browser various applications that are secured centrally by keycloak in one login session.
+ </para>
+ <para>
+ The <literal>Access Token Lifespan</literal> is how long an access token is valid for. An access token contains everything
+ an application needs to authorize a client. It contains roles allowed as well as other user information. When
+ an access token expires, your application will attempt to refresh it using a refresh token that it obtained in the
+ initial login. The value of this configuration option should be however long you feel comfortable with the
+ application not knowing if the user's permissions have changed. This value is usually in minutes or hours.
+ </para>
+ <para>
+ The <literal>Refresh Token Lifespan</literal> is how long a refresh token is valid for. The value of this is relative
+ to how comfortable you feel with how long you want an application's session to be valid. This value is usually
+ measured in minutes or hours and should be longer than the Access Token Lifespan.
+ </para>
+ <para>
+ The <literal>Access Code Lifespan</literal> is how long an access code is valid for. An access code is obtained
+ on the 1st leg of the OAuth 2.0 redirection protocol. This should be a short time limit. Usually seconds.
+ </para>
+ <para>
+ The <literal>Access Code Action Lifespan</literal> is how long a user is allowed to attempt a login. When a user tries
+ to login, they may have to change their password, set up TOTP, or perform some other action before they are redirected
+ back to your application as an authentnicated user. This value is relatively short and is usually measured in minutes.
+ </para>
+</chapter>
\ No newline at end of file
