mongodb · kay-kim · Dec 5, 2017 · Dec 1, 2017
diff --git a/source/reference/parameters.txt b/source/reference/parameters.txt
@@ -131,6 +131,21 @@ Authentication Parameters
 
    See :ref:`localhost-exception` for more information.
 
+.. parameter:: KeysRotationIntervalSec
+
+   .. versionadded:: 3.6
+
+   *Default*: 7776000 seconds (90 days)
+
+   Specifies the number of seconds for which an `HMAC signing key
+   <https://en.wikipedia.org/wiki/Hash-based_message_authentication_code>`_
+   is valid before rotating to the next one. This parameter is intended
+   primarily to facilitate authentication testing.
+
+   You can only set :parameter:`KeysRotationIntervalSec` during
+   start-up, and cannot change this setting with the
+   :dbcommand:`setParameter` database command.
+
 .. parameter:: ldapUserCacheInvalidationInterval
 
    For use with MongoDB servers using :ref:`security-ldap-external`.

diff --git a/source/release-notes/3.6.txt b/source/release-notes/3.6.txt
@@ -634,6 +634,11 @@ MongoDB 3.6 includes the following enhancements:
   output from both operations now includes a timestamp for when
   the plans were generated.
 
+- The new :parameter:`KeysRotationIntervalSec` server parameter
+  specifies the number of seconds for which an `HMAC signing key
+  <https://en.wikipedia.org/wiki/Hash-based_message_authentication_code>`_
+  is valid before rotating to the next one.
+
 Changes Affecting Compatibility
 -------------------------------