diff --git a/docs/hub/cloud.md b/docs/hub/cloud.md
index 409d7f52..7ee4d702 100644
--- a/docs/hub/cloud.md
+++ b/docs/hub/cloud.md
@@ -50,6 +50,14 @@ Be sure to catch and logs these errors in your code.
 
 If you need more requests, upgrade to a higher plan or [the On Premise version](#on-premise).
 
+Rate limiting implements the [leaky bucket algorithm](https://en.wikipedia.org/wiki/Leaky_bucket).
+Requests are tracked at millisecond granularity. A queue of 10 requests exceeding the limit is allowed (*burst*).
+
+## TLS Certificates
+
+TLS certificates are automatically provisionned using [Let's Encrypt](https://letsencrypt.org).
+[A `CAA` DNS entry](https://letsencrypt.org/docs/caa/) is maintained for all `mercure.rocks` subdomains.
+
 ## On Premise
 
 The [high availability hub](cluster.md) we use for the cloud service can also be hosted on your own infrastructure. When you use the [on-premise version](cluster.md#high-availability-on-premise-version), there are no limits other than the load that can be handled by your servers.
diff --git a/docs/hub/troubleshooting.md b/docs/hub/troubleshooting.md
index b41e2785..3601ef85 100644
--- a/docs/hub/troubleshooting.md
+++ b/docs/hub/troubleshooting.md
@@ -2,8 +2,9 @@
 
 ## 401 Unauthorized
 
-* Double-check that the request to the hub includes an authorization cookie (the default name is  `mercureAuthorization`) or an `Authorization` HTTP header
+* Double-check that the request to the hub includes an authorization cookie (the default name is  `mercureAuthorization`), an `Authorization` HTTP header or an `authorization` query parameter
 * If the cookie isn't set, you may have to explicitly include [the request credentials](https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/fetch#Parameters) (`new EventSource(url, {withCredentials: true})` and `fetch(url, {credentials: 'include'})`)
+* Double-check that only one `mercureAuthorization` cookie is set (sometimes, especially in development, old Mercure cookies from other environments may remain)
 * Check the logs written by the hub on `stderr`, they contain the exact reason why the token has been rejected
 * Be sure to set a **secret key** (and not a JWT) in `JWT_KEY` (or in `SUBSCRIBER_JWT_KEY` and `PUBLISHER_JWT_KEY`)
 * If the secret key contains special characters, be sure to escape them properly, especially if you set the environment variable in a shell, or in a YAML file (Kubernetes...)