diff --git a/docs/configuration.md b/docs/configuration.md
index 76d8948..a4579ee 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -98,6 +98,11 @@ cors_domains:
 #   When CORS is enabled by adding an entry to this option, all origins
 #   matching the "trusted_clients" option will have CORS headers set as
 #   well.  If this option is not specified then CORS is disabled.
+force_logins: False
+#   When set to True a user login is required for authorization if at least
+#   one user has been created, overriding the "trusted_clients" configuration.
+#   If no users have been created then trusted client checks will apply.
+#   The default is False.
 ```
 
 ## `[octoprint_compat]`
diff --git a/docs/web_api.md b/docs/web_api.md
index 1768877..6c3ab81 100644
--- a/docs/web_api.md
+++ b/docs/web_api.md
@@ -1541,10 +1541,15 @@ Moonraker's HTTP APIs.  JWTs should be included in the `Authorization`
 header as a `Bearer` type for each HTTP request.  If using an API Key it
 should be included in the `X-Api-Key` header for each HTTP Request.
 
+!!! note
+    For requests in which clients cannot modify headers it is acceptable
+    to pass the JWT via the query string's `access_token` argument.
+    Alternatively client developers may request a `oneshot_token` and
+    send the result via the `token` query string argument.
+
 !!! warning
-    Clients should not use the query string to pass arguments to these
-    APIs.  Arguments may be passed as part of the body either in JSON
-    format or as form-data.
+    It is strongly recommended that arguments for the below APIs are
+    passed in the request's body.
 
 #### Login User
 HTTP Request: