Add description about tidb_auth_token authentication

keywords.md

@@ -606,6 +606,7 @@ The following list shows the keywords in TiDB. Reserved keywords are marked with
 - TINYINT (R)
 - TINYTEXT (R)
 - TO (R)
+- TOKEN_ISSUER
 - TOPN (R)
 - TRACE
 - TRADITIONAL

security-compatibility-with-mysql.md

@@ -17,7 +17,7 @@ TiDB supports similar security functionality to MySQL 5.7, with the following ex
 
 TiDB supports multiple authentication methods. These methods can be specified on a per user basis using [`CREATE USER`](/sql-statements/sql-statement-create-user.md) and [`ALTER USER`](/sql-statements/sql-statement-create-user.md). These methods are compatible with the authentication methods of MySQL with the same names.
 
-You can use one of the following supported authentication methods in the table. To specify a default method that the server advertises when the client-server connection is being established, set the [`default_authentication_plugin`](/system-variables.md#default_authentication_plugin) variable. `tidb_sm3_password` is the SM3 authentication method only supported in TiDB. Therefore, to authenticate using this method, you must connect to TiDB using [TiDB-JDBC](https://github.com/pingcap/mysql-connector-j/tree/release/8.0-sm3).
+You can use one of the following supported authentication methods in the table. To specify a default method that the server advertises when the client-server connection is being established, set the [`default_authentication_plugin`](/system-variables.md#default_authentication_plugin) variable. `tidb_sm3_password` is the SM3 authentication method only supported in TiDB. Therefore, to authenticate using this method, you must connect to TiDB using [TiDB-JDBC](https://github.com/pingcap/mysql-connector-j/tree/release/8.0-sm3). `tidb_auth_token` is a JSON Web Token (JWT) based authentication method used only in TiDB Cloud.
 
 <CustomContent platform="tidb">
 
@@ -38,7 +38,8 @@ The support for TLS authentication is configured differently. For detailed infor
 | `caching_sha2_password`  | Yes, since 5.2.0 |
 | `auth_socket`            | Yes, since 5.3.0 |
 | `tidb_sm3_password`      | Yes, since 6.3.0 |
-| TLS Certificates      | Yes              |
+| `tidb_auth_token`        | Yes, since 6.4.0 |
+| TLS Certificates         | Yes              |
 | LDAP                     | No               |
 | PAM                      | No               |
 | ed25519 (MariaDB)        | No               |

system-variables.md

@@ -208,7 +208,8 @@ mysql> SELECT * FROM t1;
 - Persists to cluster: Yes
 - Type: Enumeration
 - Default value: `mysql_native_password`
-- Possible values: `mysql_native_password`, `caching_sha2_password`, and `tidb_sm3_password`
+- Possible values: `mysql_native_password`, `caching_sha2_password`, `tidb_sm3_password`, and `tidb_auth_token`
+- The `tidb_auth_token` authentication method is used only for the internal operation of TiDB Cloud. **DO NOT** set the variable to this value.
 - This variable sets the authentication method that the server advertises when the server-client connection is being established.
 - To authenticate using the `tidb_sm3_password` method, you can connect to TiDB using [TiDB-JDBC](https://github.com/pingcap/mysql-connector-j/tree/release/8.0-sm3).
 

tidb-configuration-file.md

@@ -327,6 +327,24 @@ Configuration items related to security.
 - Default value: "", which allows TLSv1.1 or higher.
 - Optional values: `"TLSv1.0"`, `"TLSv1.1"`, `"TLSv1.2"` and `"TLSv1.3"`
 
+### `auth-token-jwks` <span class="version-mark">New in v6.4.0</span>
+
+> **Warning:**
+>
+> The `tidb_auth_token` authentication method is used only for the internal operation of TiDB Cloud. **DO NOT** change the value of this configuration.
+
+- Set the local file path of the JSON Web Key Sets (JWKS) for the `tidb_auth_token` authentication method.
+- Default value: `""`
+
+### `auth-token-refresh-interval` <span class="version-mark">New in v6.4.0</span>
+
+> **Warning:**
+>
+> The `tidb_auth_token` authentication method is used only for the internal operation of TiDB Cloud. **DO NOT** change the value of this configuration.
+
+- Set the JWKS refresh interval for the `tidb_auth_token` authentication method.
+- Default value: `1h`
+
 ## Performance
 
 Configuration items related to performance.