diff --git a/releasenotes/notes/make-fernet-the-default-token-provider-dbe88b552a936a05.yaml b/releasenotes/notes/make-fernet-the-default-token-provider-dbe88b552a936a05.yaml
new file mode 100644
index 0000000000..503ba0f59b
--- /dev/null
+++ b/releasenotes/notes/make-fernet-the-default-token-provider-dbe88b552a936a05.yaml
@@ -0,0 +1,21 @@
+---
+upgrade:
+  - The default token provider has switched from UUID
+    to Fernet. Please note that Fernet requires a
+    key repository to be in place prior to running Ocata.
+    This can be done using ``keystone-manage fernet_setup``.
+    Documentation can be found `here <http://docs.openstack.org/developer/keystone/man/keystone-manage.html>`_.
+    In addition, for multi-node deployments, it is imperative that
+    a key distribution process be in use before upgrading. Once
+    a key repository has been created it should be distributed
+    to all keystone nodes in the deployment. This ensures that
+    each keystone node will be able to validate tokens issued
+    across the deployment. If you do not wish to switch token
+    formats, you will need to explicitly set UUID as the token
+    provider for each node in the deployment using
+    ``[token] provider = uuid`` in your ``keystone.conf``.
+critical:
+  - If upgrading to Fernet tokens, you must have a key
+    repository and key distribution mechanism in place.
+    Otherwise token validation may not work. Please see
+    the upgrade section for more details.