diff --git a/pkg/apis/authentication/types.go b/pkg/apis/authentication/types.go
index 203bf22bb34..a33dfe98985 100644
--- a/pkg/apis/authentication/types.go
+++ b/pkg/apis/authentication/types.go
@@ -135,7 +135,9 @@ type TokenRequestSpec struct {
 	ExpirationSeconds int64
 
 	// BoundObjectRef is a reference to an object that the token will be bound to.
-	// The token will only be valid for as long as the bound objet exists.
+	// The token will only be valid for as long as the bound object exists.
+	// NOTE: The API server will validate the BoundObjectRef, but other audiences
+	// may not. Keep ExpirationSeconds small if you want prompt revocation.
 	BoundObjectRef *BoundObjectReference
 }