diff --git a/docs/Cube.js-ClI/Reference.md b/docs/Cube.js-ClI/Reference.md
index 9b6f16a1d010a..f0dd0ed6fee62 100644
--- a/docs/Cube.js-ClI/Reference.md
+++ b/docs/Cube.js-ClI/Reference.md
@@ -61,3 +61,32 @@ Generate schema files for tables `orders` and `customers`:
 ```bash
 $ cubejs generate -t orders,customers
 ```
+
+## token
+
+`token` command generates a JWT Cube.js token. It either uses the value of the `CUBEJS_API_SECRET` environment variable or provided value with `-s` flag.
+You can only run `token` command from the Cube.js app directory.
+
+_Use these manually generated tokens in production with caution._ <br> _Please refer to the [Security Guide](https://cube.dev/docs/security) for production security best practices._
+
+### Usage
+
+```bash
+$ cubejs token -e TOKEN-EXPIRY -s SECRET -p FOO=BAR
+```
+
+### Flags
+
+| Parameter | Description | Example |
+| --------- | ----------- | ------ |
+| -e, --expiry &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  | Token expiry. Set to 0 for no expiry (default: "30 days") | `1 day`, `30 days` &nbsp; &nbsp; &nbsp; &nbsp;  |
+| -s, --secret | Cube.js app secret. Also can be set via environment variable `CUBEJS_API_SECRET` | - |
+| -p, --payload | Token Payload | `foo=bar`, `userId=2` |
+
+### Example
+
+Generate token with 1 day expiry and payload `{ 'appId': 1, 'userId': 2 }`:
+
+```bash
+$ cubejs token -e "1 day" -p appId=1 -p userId=2
+```