diff --git a/docs/operator-manual/user-management/keycloak.md b/docs/operator-manual/user-management/keycloak.md
index 766ab6e0f18de..bc88c436e8ef0 100644
--- a/docs/operator-manual/user-management/keycloak.md
+++ b/docs/operator-manual/user-management/keycloak.md
@@ -17,6 +17,8 @@ Configure the client by setting the __Access Type__ to _confidential_ and set th
 hostname. It should be https://{hostname}/auth/callback (you can also leave the default less secure https://{hostname}/* ). You can also set the
 __Base URL__ to _/applications_.
 
+If you want to allow command line access, __Access Type__ must be set to _public_ and you also need to add http://localhost:8085/auth/callback in the list of Valid Redirect URIs. Then users can login using `argocd login {hostname} --sso`.
+
 ![Keycloak configure client](../../assets/keycloak-configure-client.png "Keycloak configure client")
 
 Make sure to click __Save__. You should now have a new tab called __Credentials__. You can copy the Secret that we'll use in our ArgoCD