diff --git a/doc/integration/oauth_provider.md b/doc/integration/oauth_provider.md
index 232ff6cb360ffe3e4333a4055d4978daa002e65a..af525cc8770e32c9cfafb9696d23a873b01cfe65 100644
--- a/doc/integration/oauth_provider.md
+++ b/doc/integration/oauth_provider.md
@@ -85,6 +85,8 @@ The user authorization step is automatically skipped for this application.
 
 ## View all authorized applications
 
+> `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default.
+
 To see all the application you've authorized with your GitLab credentials:
 
 1. On the left sidebar, select your avatar.
@@ -95,7 +97,7 @@ The GitLab OAuth 2 applications support scopes, which allow application to perfo
 different actions. See the following table for all available scopes.
 
 | Scope              | Description |
-| ------------------ | ----------- |
+|--------------------| ----------- |
 | `api`              | Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry. |
 | `read_user`        | Grants read-only access to the authenticated user's profile through the /user API endpoint, which includes username, public email, and full name. Also grants access to read-only API endpoints under /users. |
 | `read_api`         | Grants read access to the API, including all groups and projects, the container registry, and the package registry. |
@@ -108,6 +110,7 @@ different actions. See the following table for all available scopes.
 | `profile`          | Grants read-only access to the user's profile data using [OpenID Connect](openid_connect_provider.md). |
 | `email`            | Grants read-only access to the user's primary email address using [OpenID Connect](openid_connect_provider.md). |
 | `create_runner`    | Grants permission to create runners. |
+| `k8s_proxy`        | Grants permission to perform Kubernetes API calls using the agent for Kubernetes. |
 
 At any time you can revoke any access by selecting **Revoke**.
 
diff --git a/doc/user/group/settings/group_access_tokens.md b/doc/user/group/settings/group_access_tokens.md
index 5860b9b7dcb8d29f5f623ba47dd45006b5355ac0..795967e9f9174c4a34f9811b7c528b63e3032ad3 100644
--- a/doc/user/group/settings/group_access_tokens.md
+++ b/doc/user/group/settings/group_access_tokens.md
@@ -138,6 +138,8 @@ token.revoke!
 
 ## Scopes for a group access token
 
+> `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default.
+
 The scope determines the actions you can perform when you authenticate with a group access token.
 
 | Scope              | Description                                                                                                                                                                      |
@@ -150,6 +152,7 @@ The scope determines the actions you can perform when you authenticate with a gr
 | `write_repository` | Grants read and write access (pull and push) to all repositories within a group.                                                                                                 |
 | `create_runner`    | Grants permission to create runners in a group.                                                                                                                                  |
 | `ai_features`      | Grants permission to perform API actions for GitLab Duo.                                                                                                                         |
+| `k8s_proxy`        | Grants permission to perform Kubernetes API calls using the agent for Kubernetes in a group.                                                                                     |
 
 ## Enable or disable group access token creation
 
diff --git a/doc/user/profile/personal_access_tokens.md b/doc/user/profile/personal_access_tokens.md
index 31e92a01606ef6825f1406a02d9d1da91930e39d..c3361040a005bdc4cfd8c50a1c8fca2118bf3473 100644
--- a/doc/user/profile/personal_access_tokens.md
+++ b/doc/user/profile/personal_access_tokens.md
@@ -104,7 +104,8 @@ To view the last time a token was used:
 
 ## Personal access token scopes
 
-> Personal access tokens no longer being able to access container or package registries [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/387721) in GitLab 16.0.
+> - Personal access tokens no longer being able to access container or package registries [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/387721) in GitLab 16.0.
+> - `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default.
 
 A personal access token can perform actions based on the assigned scopes.
 
@@ -121,6 +122,7 @@ A personal access token can perform actions based on the assigned scopes.
 | `admin_mode`       | Grants permission to perform API actions as an administrator, when Admin Mode is enabled. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/107875) in GitLab 15.8.) |
 | `create_runner`    | Grants permission to create runners. |
 | `ai_features`      | Grants permission to perform API actions for GitLab Duo. |
+| `k8s_proxy`        | Grants permission to perform Kubernetes API calls using the agent for Kubernetes.                                                                                   |
 
 WARNING:
 If you enabled [external authorization](../admin_area/settings/external_authorization.md), personal access tokens cannot access container or package registries. If you use personal access tokens to access these registries, this measure breaks this use of these tokens. Disable external authorization to use personal access tokens with container or package registries.
diff --git a/doc/user/project/settings/project_access_tokens.md b/doc/user/project/settings/project_access_tokens.md
index c47dd86b39c59558da365eb6bcd5bbab611d5d22..29d573285323a90c0c3a2c7cd1fe330de3dffafa 100644
--- a/doc/user/project/settings/project_access_tokens.md
+++ b/doc/user/project/settings/project_access_tokens.md
@@ -79,6 +79,8 @@ To revoke a project access token:
 
 ## Scopes for a project access token
 
+> `k8s_proxy` [introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/422408) in GitLab 16.4 [with a flag](../../../administration/feature_flags.md) named `k8s_proxy_pat`. Enabled by default.
+
 The scope determines the actions you can perform when you authenticate with a project access token.
 
 NOTE:
@@ -94,6 +96,7 @@ See the warning in [create a project access token](#create-a-project-access-toke
 | `write_repository` | Grants read and write access (pull and push) to the repository.                                                                                                 |
 | `create_runner`    | Grants permission to create runners in the project.                                                                                                             |
 | `ai_features`      | Grants permission to perform API actions for GitLab Duo.                                                                                                        |
+| `k8s_proxy`        | Grants permission to perform Kubernetes API calls using the agent for Kubernetes in the project.                                                                                     |
 
 ## Enable or disable project access token creation