diff --git a/website/content/docs/job-specification/identity.mdx b/website/content/docs/job-specification/identity.mdx
index 9b9ee4e21..f296f4fdd 100644
--- a/website/content/docs/job-specification/identity.mdx
+++ b/website/content/docs/job-specification/identity.mdx
@@ -15,11 +15,14 @@ description: |-
 />
 
 The `identity` block allows a task access to its [Workload Identity][] via an
-environment variable or file. By default Nomad will create an identity for all
-workloads, but it is *not* exposed to a task.
+environment variable or file. Nomad will create a _default_ identity for all
+workloads, but it is *not* exposed to a task. You may also set additional
+identities intended for use with external applications such as Vault, Consul, or
+OIDC authentication.
 
-The following will expose the Workload Identity as an environment variable and
-file to the task:
+For example, the following will expose the default Workload Identity as an
+environment variable and file to the task, and a second Workload Identity
+configured for a third-party OIDC provider:
 
 ```hcl
 job "docs" {
@@ -31,6 +34,14 @@ job "docs" {
         file = true
       }
 
+      identity {
+        name = "example"
+        aud  = ["oidc.example.com"]
+        env  = true
+        file = true
+        ttl  = "1h"
+      }
+
       # ...
     }
   }
@@ -39,6 +50,11 @@ job "docs" {
 
 ## `identity` Parameters
 
+- `name` `(string: "default")` - The name of the workload identity, which must
+  be unique per task. Only one `identity` block in a task can omit the `name`
+  field.
+- `aud` `([]string: nil)` - The audience field for the workload identity. This
+  should always be set for non-default identities.
 - `env` `(bool: false)` - If true the workload identity will be available in the
   task's `NOMAD_TOKEN` environment variable.
 - `file` `(bool: false)` - If true the workload identity will be available in
@@ -46,6 +62,10 @@ job "docs" {
   [`task.user`][taskuser] parameter is set, the token file will only be
   readable by that user. Otherwise the file is readable by everyone but is
   protected by parent directory permissions.
+- `ttl` `(string: "")` - The lifetime of the identity before it expires. The
+  client will renew the identity at roughly half the TTL. This is specified
+  using a label suffix like "30s" or "1h". You may not set a TTL on the default
+  identity. You should always set a TTL for non-default identities.
 
 ## Task API