diff --git a/x-pack/docs/en/rest-api/security/create-api-keys.asciidoc b/x-pack/docs/en/rest-api/security/create-api-keys.asciidoc
index 42541d0f36339..c0df9290719db 100644
--- a/x-pack/docs/en/rest-api/security/create-api-keys.asciidoc
+++ b/x-pack/docs/en/rest-api/security/create-api-keys.asciidoc
@@ -49,11 +49,12 @@ The following parameters can be specified in the body of a POST or PUT request:
 `role_descriptors`::
 (Optional, array-of-role-descriptor) An array of role descriptors for this API
 key. This parameter is optional. When it is not specified or is an empty array,
-then the API key will have the permissions of the authenticated user. If you
-supply role descriptors, they must be a subset of the authenticated user's
-permissions. The structure of role descriptor is the same as the request for
-create role API. For more details, see
-<<security-api-roles,role management APIs>>.
+then the API key will have a _point in time snapshot of permissions of the 
+authenticated user_. If you supply role descriptors then the resultant permissions
+would be an intersection of API keys permissions and authenticated user's permissions
+thereby limiting the access scope for API keys.
+The structure of role descriptor is the same as the request for create role API.
+For more details, see <<security-api-roles,role management APIs>>.
 
 `expiration`::
 (Optional, string) Expiration time for the API key. By default, API keys never