From 60d587f55b66842cd36d20a584f00c4e1128b1dc Mon Sep 17 00:00:00 2001
From: Andrii Chubatiuk <andrew.chubatiuk@gmail.com>
Date: Wed, 27 Nov 2024 12:13:59 +0200
Subject: [PATCH] docs/vmgateway: added to documentation a case, when vm_access
 claim value is of string type

---
 docs/vmgateway.md | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/docs/vmgateway.md b/docs/vmgateway.md
index c96d9aa6b..a1aa2a760 100644
--- a/docs/vmgateway.md
+++ b/docs/vmgateway.md
@@ -31,8 +31,9 @@ See how to request a free trial license [here](https://victoriametrics.com/produ
 
 `vmgateway` supports jwt based authentication. With jwt payload can be configured to give access to specific tenants and labels as well as to read/write.
 
-jwt token must be in following format:
+jwt token must be in one of the following formats:
 
+with `vm_access` claim as JSON object
 ```json
 {
   "exp": 1617304574,
@@ -51,6 +52,15 @@ jwt token must be in following format:
 }
 ```
 
+or with `vm_access` claim as string
+
+```json
+{
+  "exp": 1617304574,
+  "vm_access": "{\"tenant_id\":{\"account_id\":1,\"project_id\":5},\"extra_labels\":{\"team\":\"dev\",\"project\":\"mobile\"},\"extra_filters\": [\"{env=~\\\"prod|dev\\\",team!=\\\"test\\\"}\"],\"mode\":1}"
+}
+```
+
 Where:
 
 * `exp` - required, expire time in unix_timestamp. If the token expires then `vmgateway` rejects the request.