github · shati-patel · Apr 22, 2021 · Apr 21, 2021 · Apr 22, 2021 · Apr 22, 2021
diff --git a/content/developers/overview/secret-scanning.md b/content/developers/overview/secret-scanning.md
@@ -88,6 +88,8 @@ We strongly recommend you implement signature validation in your secret alert se
 
 You can retrieve the {% data variables.product.prodname_dotcom %} secret scanning public key from https://api.github.com/meta/public_keys/secret_scanning and validate the message using the `ECDSA-NIST-P256V1-SHA256` algorithm.
 
+> Important: While the public key endpoint above does not require authentication, if no authentication is present, requests may be heavily rate limited.  Please use a PAT as suggested below, or implement caching or [conditional requests](/rest/guides/getting-started-with-the-rest-api#conditional-requests) using ETags.
+
 Assuming you receive the following message, the code snippets below demonstrate how you could perform signature validation.
 The code also assumes you've set an environment variable called `GITHUB_PRODUCTION_TOKEN` with a generated PAT (https://github.com/settings/tokens). The token does not need any permissions set.