diff --git a/doc/common/tables/cinder-auth_token.xml b/doc/common/tables/cinder-auth_token.xml
new file mode 100644
index 0000000000..2fce6f06da
--- /dev/null
+++ b/doc/common/tables/cinder-auth_token.xml
@@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="UTF-8"?>
+        <!-- Warning: Do not edit this file. It is automatically
+             generated and your changes will be overwritten.
+             The tool to do so lives in the tools directory of this
+             repository -->
+        <para xmlns="http://docbook.org/ns/docbook" version="5.0">
+        <table rules="all" xml:id="config_table_cinder_auth_token">
+          <caption>Description of configuration options for auth_token</caption>
+           <col width="50%"/>
+           <col width="50%"/>
+           <thead>
+              <tr>
+                  <th>Configuration option = Default value</th>
+                  <th>Description</th>
+              </tr>
+          </thead>
+          <tbody>
+              <tr>
+                  <th colspan="2">[DEFAULT]</th>
+              </tr>
+              <tr>
+                       <td>memcached_servers = None</td>
+                       <td>(ListOpt) Memcached servers or None for in process cache.</td>
+              </tr>
+              <tr>
+                  <th colspan="2">[keystone_authtoken]</th>
+              </tr>
+              <tr>
+                       <td>admin_password = None</td>
+                       <td>(StrOpt) Keystone account password</td>
+              </tr>
+              <tr>
+                       <td>admin_tenant_name = admin</td>
+                       <td>(StrOpt) Keystone service account tenant name to validate user tokens</td>
+              </tr>
+              <tr>
+                       <td>admin_token = None</td>
+                       <td>(StrOpt) Single shared secret with the Keystone configuration used for bootstrapping a Keystone installation, or otherwise bypassing the normal authentication process.</td>
+              </tr>
+              <tr>
+                       <td>admin_user = None</td>
+                       <td>(StrOpt) Keystone account username</td>
+              </tr>
+              <tr>
+                       <td>auth_admin_prefix = </td>
+                       <td>(StrOpt) Prefix to prepend at the beginning of the path</td>
+              </tr>
+              <tr>
+                       <td>auth_host = 127.0.0.1</td>
+                       <td>(StrOpt) Host providing the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_port = 35357</td>
+                       <td>(IntOpt) Port of the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_protocol = https</td>
+                       <td>(StrOpt) Protocol of the admin Identity API endpoint(http or https)</td>
+              </tr>
+              <tr>
+                       <td>auth_uri = None</td>
+                       <td>(StrOpt) Complete public Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_version = None</td>
+                       <td>(StrOpt) API version of the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>cache = None</td>
+                       <td>(StrOpt) Env key for the swift cache</td>
+              </tr>
+              <tr>
+                       <td>cafile = None</td>
+                       <td>(StrOpt) A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.</td>
+              </tr>
+              <tr>
+                       <td>certfile = None</td>
+                       <td>(StrOpt) Required if Keystone server requires client certificate</td>
+              </tr>
+              <tr>
+                       <td>delay_auth_decision = False</td>
+                       <td>(BoolOpt) Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components</td>
+              </tr>
+              <tr>
+                       <td>enforce_token_bind = permissive</td>
+                       <td>(StrOpt) Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.</td>
+              </tr>
+              <tr>
+                       <td>http_connect_timeout = None</td>
+                       <td>(BoolOpt) Request timeout value for communicating with Identity API server.</td>
+              </tr>
+              <tr>
+                       <td>http_request_max_retries = 3</td>
+                       <td>(IntOpt) How many times are we trying to reconnect when communicating with Identity API Server.</td>
+              </tr>
+              <tr>
+                       <td>include_service_catalog = True</td>
+                       <td>(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.</td>
+              </tr>
+              <tr>
+                       <td>insecure = False</td>
+                       <td>(BoolOpt) Verify HTTPS connections.</td>
+              </tr>
+              <tr>
+                       <td>keyfile = None</td>
+                       <td>(StrOpt) Required if Keystone server requires client certificate</td>
+              </tr>
+              <tr>
+                       <td>memcache_secret_key = None</td>
+                       <td>(StrOpt) (optional, mandatory if memcache_security_strategy is defined) this string is used for key derivation.</td>
+              </tr>
+              <tr>
+                       <td>memcache_security_strategy = None</td>
+                       <td>(StrOpt) (optional) if defined, indicate whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT.  If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.</td>
+              </tr>
+              <tr>
+                       <td>memcached_servers = None</td>
+                       <td>(ListOpt) Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.</td>
+              </tr>
+              <tr>
+                       <td>revocation_cache_time = 300</td>
+                       <td>(IntOpt) Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance.</td>
+              </tr>
+              <tr>
+                       <td>signing_dir = None</td>
+                       <td>(StrOpt) Directory used to cache files related to PKI tokens</td>
+              </tr>
+              <tr>
+                       <td>token_cache_time = 300</td>
+                       <td>(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.</td>
+              </tr>
+       </tbody>
+        </table>
+        </para>
diff --git a/doc/common/tables/glance-auth_token.xml b/doc/common/tables/glance-auth_token.xml
new file mode 100644
index 0000000000..c901819527
--- /dev/null
+++ b/doc/common/tables/glance-auth_token.xml
@@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="UTF-8"?>
+        <!-- Warning: Do not edit this file. It is automatically
+             generated and your changes will be overwritten.
+             The tool to do so lives in the tools directory of this
+             repository -->
+        <para xmlns="http://docbook.org/ns/docbook" version="5.0">
+        <table rules="all" xml:id="config_table_glance_auth_token">
+          <caption>Description of configuration options for auth_token</caption>
+           <col width="50%"/>
+           <col width="50%"/>
+           <thead>
+              <tr>
+                  <th>Configuration option = Default value</th>
+                  <th>Description</th>
+              </tr>
+          </thead>
+          <tbody>
+              <tr>
+                  <th colspan="2">[DEFAULT]</th>
+              </tr>
+              <tr>
+                       <td>memcached_servers = None</td>
+                       <td>(ListOpt) Memcached servers or None for in process cache.</td>
+              </tr>
+              <tr>
+                  <th colspan="2">[keystone_authtoken]</th>
+              </tr>
+              <tr>
+                       <td>admin_password = None</td>
+                       <td>(StrOpt) Keystone account password</td>
+              </tr>
+              <tr>
+                       <td>admin_tenant_name = admin</td>
+                       <td>(StrOpt) Keystone service account tenant name to validate user tokens</td>
+              </tr>
+              <tr>
+                       <td>admin_token = None</td>
+                       <td>(StrOpt) Single shared secret with the Keystone configuration used for bootstrapping a Keystone installation, or otherwise bypassing the normal authentication process.</td>
+              </tr>
+              <tr>
+                       <td>admin_user = None</td>
+                       <td>(StrOpt) Keystone account username</td>
+              </tr>
+              <tr>
+                       <td>auth_admin_prefix = </td>
+                       <td>(StrOpt) Prefix to prepend at the beginning of the path</td>
+              </tr>
+              <tr>
+                       <td>auth_host = 127.0.0.1</td>
+                       <td>(StrOpt) Host providing the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_port = 35357</td>
+                       <td>(IntOpt) Port of the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_protocol = https</td>
+                       <td>(StrOpt) Protocol of the admin Identity API endpoint(http or https)</td>
+              </tr>
+              <tr>
+                       <td>auth_uri = None</td>
+                       <td>(StrOpt) Complete public Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_version = None</td>
+                       <td>(StrOpt) API version of the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>cache = None</td>
+                       <td>(StrOpt) Env key for the swift cache</td>
+              </tr>
+              <tr>
+                       <td>cafile = None</td>
+                       <td>(StrOpt) A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.</td>
+              </tr>
+              <tr>
+                       <td>certfile = None</td>
+                       <td>(StrOpt) Required if Keystone server requires client certificate</td>
+              </tr>
+              <tr>
+                       <td>delay_auth_decision = False</td>
+                       <td>(BoolOpt) Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components</td>
+              </tr>
+              <tr>
+                       <td>enforce_token_bind = permissive</td>
+                       <td>(StrOpt) Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.</td>
+              </tr>
+              <tr>
+                       <td>http_connect_timeout = None</td>
+                       <td>(BoolOpt) Request timeout value for communicating with Identity API server.</td>
+              </tr>
+              <tr>
+                       <td>http_request_max_retries = 3</td>
+                       <td>(IntOpt) How many times are we trying to reconnect when communicating with Identity API Server.</td>
+              </tr>
+              <tr>
+                       <td>include_service_catalog = True</td>
+                       <td>(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.</td>
+              </tr>
+              <tr>
+                       <td>insecure = False</td>
+                       <td>(BoolOpt) Verify HTTPS connections.</td>
+              </tr>
+              <tr>
+                       <td>keyfile = None</td>
+                       <td>(StrOpt) Required if Keystone server requires client certificate</td>
+              </tr>
+              <tr>
+                       <td>memcache_secret_key = None</td>
+                       <td>(StrOpt) (optional, mandatory if memcache_security_strategy is defined) this string is used for key derivation.</td>
+              </tr>
+              <tr>
+                       <td>memcache_security_strategy = None</td>
+                       <td>(StrOpt) (optional) if defined, indicate whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT.  If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.</td>
+              </tr>
+              <tr>
+                       <td>memcached_servers = None</td>
+                       <td>(ListOpt) Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.</td>
+              </tr>
+              <tr>
+                       <td>revocation_cache_time = 300</td>
+                       <td>(IntOpt) Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance.</td>
+              </tr>
+              <tr>
+                       <td>signing_dir = None</td>
+                       <td>(StrOpt) Directory used to cache files related to PKI tokens</td>
+              </tr>
+              <tr>
+                       <td>token_cache_time = 300</td>
+                       <td>(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.</td>
+              </tr>
+       </tbody>
+        </table>
+        </para>
diff --git a/doc/common/tables/heat-auth_token.xml b/doc/common/tables/heat-auth_token.xml
new file mode 100644
index 0000000000..d2400ebd67
--- /dev/null
+++ b/doc/common/tables/heat-auth_token.xml
@@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="UTF-8"?>
+        <!-- Warning: Do not edit this file. It is automatically
+             generated and your changes will be overwritten.
+             The tool to do so lives in the tools directory of this
+             repository -->
+        <para xmlns="http://docbook.org/ns/docbook" version="5.0">
+        <table rules="all" xml:id="config_table_heat_auth_token">
+          <caption>Description of configuration options for auth_token</caption>
+           <col width="50%"/>
+           <col width="50%"/>
+           <thead>
+              <tr>
+                  <th>Configuration option = Default value</th>
+                  <th>Description</th>
+              </tr>
+          </thead>
+          <tbody>
+              <tr>
+                  <th colspan="2">[DEFAULT]</th>
+              </tr>
+              <tr>
+                       <td>memcached_servers = None</td>
+                       <td>(ListOpt) Memcached servers or None for in process cache.</td>
+              </tr>
+              <tr>
+                  <th colspan="2">[keystone_authtoken]</th>
+              </tr>
+              <tr>
+                       <td>admin_password = None</td>
+                       <td>(StrOpt) Keystone account password</td>
+              </tr>
+              <tr>
+                       <td>admin_tenant_name = admin</td>
+                       <td>(StrOpt) Keystone service account tenant name to validate user tokens</td>
+              </tr>
+              <tr>
+                       <td>admin_token = None</td>
+                       <td>(StrOpt) Single shared secret with the Keystone configuration used for bootstrapping a Keystone installation, or otherwise bypassing the normal authentication process.</td>
+              </tr>
+              <tr>
+                       <td>admin_user = None</td>
+                       <td>(StrOpt) Keystone account username</td>
+              </tr>
+              <tr>
+                       <td>auth_admin_prefix = </td>
+                       <td>(StrOpt) Prefix to prepend at the beginning of the path</td>
+              </tr>
+              <tr>
+                       <td>auth_host = 127.0.0.1</td>
+                       <td>(StrOpt) Host providing the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_port = 35357</td>
+                       <td>(IntOpt) Port of the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_protocol = https</td>
+                       <td>(StrOpt) Protocol of the admin Identity API endpoint(http or https)</td>
+              </tr>
+              <tr>
+                       <td>auth_uri = None</td>
+                       <td>(StrOpt) Complete public Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_version = None</td>
+                       <td>(StrOpt) API version of the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>cache = None</td>
+                       <td>(StrOpt) Env key for the swift cache</td>
+              </tr>
+              <tr>
+                       <td>cafile = None</td>
+                       <td>(StrOpt) A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.</td>
+              </tr>
+              <tr>
+                       <td>certfile = None</td>
+                       <td>(StrOpt) Required if Keystone server requires client certificate</td>
+              </tr>
+              <tr>
+                       <td>delay_auth_decision = False</td>
+                       <td>(BoolOpt) Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components</td>
+              </tr>
+              <tr>
+                       <td>enforce_token_bind = permissive</td>
+                       <td>(StrOpt) Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.</td>
+              </tr>
+              <tr>
+                       <td>http_connect_timeout = None</td>
+                       <td>(BoolOpt) Request timeout value for communicating with Identity API server.</td>
+              </tr>
+              <tr>
+                       <td>http_request_max_retries = 3</td>
+                       <td>(IntOpt) How many times are we trying to reconnect when communicating with Identity API Server.</td>
+              </tr>
+              <tr>
+                       <td>include_service_catalog = True</td>
+                       <td>(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.</td>
+              </tr>
+              <tr>
+                       <td>insecure = False</td>
+                       <td>(BoolOpt) Verify HTTPS connections.</td>
+              </tr>
+              <tr>
+                       <td>keyfile = None</td>
+                       <td>(StrOpt) Required if Keystone server requires client certificate</td>
+              </tr>
+              <tr>
+                       <td>memcache_secret_key = None</td>
+                       <td>(StrOpt) (optional, mandatory if memcache_security_strategy is defined) this string is used for key derivation.</td>
+              </tr>
+              <tr>
+                       <td>memcache_security_strategy = None</td>
+                       <td>(StrOpt) (optional) if defined, indicate whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT.  If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.</td>
+              </tr>
+              <tr>
+                       <td>memcached_servers = None</td>
+                       <td>(ListOpt) Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.</td>
+              </tr>
+              <tr>
+                       <td>revocation_cache_time = 300</td>
+                       <td>(IntOpt) Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance.</td>
+              </tr>
+              <tr>
+                       <td>signing_dir = None</td>
+                       <td>(StrOpt) Directory used to cache files related to PKI tokens</td>
+              </tr>
+              <tr>
+                       <td>token_cache_time = 300</td>
+                       <td>(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.</td>
+              </tr>
+       </tbody>
+        </table>
+        </para>
diff --git a/doc/common/tables/keystone-auth_token.xml b/doc/common/tables/keystone-auth_token.xml
new file mode 100644
index 0000000000..093b339b97
--- /dev/null
+++ b/doc/common/tables/keystone-auth_token.xml
@@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="UTF-8"?>
+        <!-- Warning: Do not edit this file. It is automatically
+             generated and your changes will be overwritten.
+             The tool to do so lives in the tools directory of this
+             repository -->
+        <para xmlns="http://docbook.org/ns/docbook" version="5.0">
+        <table rules="all" xml:id="config_table_keystone_auth_token">
+          <caption>Description of configuration options for auth_token</caption>
+           <col width="50%"/>
+           <col width="50%"/>
+           <thead>
+              <tr>
+                  <th>Configuration option = Default value</th>
+                  <th>Description</th>
+              </tr>
+          </thead>
+          <tbody>
+              <tr>
+                  <th colspan="2">[DEFAULT]</th>
+              </tr>
+              <tr>
+                       <td>memcached_servers = None</td>
+                       <td>(ListOpt) Memcached servers or None for in process cache.</td>
+              </tr>
+              <tr>
+                  <th colspan="2">[keystone_authtoken]</th>
+              </tr>
+              <tr>
+                       <td>admin_password = None</td>
+                       <td>(StrOpt) Keystone account password</td>
+              </tr>
+              <tr>
+                       <td>admin_tenant_name = admin</td>
+                       <td>(StrOpt) Keystone service account tenant name to validate user tokens</td>
+              </tr>
+              <tr>
+                       <td>admin_token = None</td>
+                       <td>(StrOpt) Single shared secret with the Keystone configuration used for bootstrapping a Keystone installation, or otherwise bypassing the normal authentication process.</td>
+              </tr>
+              <tr>
+                       <td>admin_user = None</td>
+                       <td>(StrOpt) Keystone account username</td>
+              </tr>
+              <tr>
+                       <td>auth_admin_prefix = </td>
+                       <td>(StrOpt) Prefix to prepend at the beginning of the path</td>
+              </tr>
+              <tr>
+                       <td>auth_host = 127.0.0.1</td>
+                       <td>(StrOpt) Host providing the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_port = 35357</td>
+                       <td>(IntOpt) Port of the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_protocol = https</td>
+                       <td>(StrOpt) Protocol of the admin Identity API endpoint(http or https)</td>
+              </tr>
+              <tr>
+                       <td>auth_uri = None</td>
+                       <td>(StrOpt) Complete public Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_version = None</td>
+                       <td>(StrOpt) API version of the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>cache = None</td>
+                       <td>(StrOpt) Env key for the swift cache</td>
+              </tr>
+              <tr>
+                       <td>cafile = None</td>
+                       <td>(StrOpt) A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.</td>
+              </tr>
+              <tr>
+                       <td>certfile = None</td>
+                       <td>(StrOpt) Required if Keystone server requires client certificate</td>
+              </tr>
+              <tr>
+                       <td>delay_auth_decision = False</td>
+                       <td>(BoolOpt) Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components</td>
+              </tr>
+              <tr>
+                       <td>enforce_token_bind = permissive</td>
+                       <td>(StrOpt) Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.</td>
+              </tr>
+              <tr>
+                       <td>http_connect_timeout = None</td>
+                       <td>(BoolOpt) Request timeout value for communicating with Identity API server.</td>
+              </tr>
+              <tr>
+                       <td>http_request_max_retries = 3</td>
+                       <td>(IntOpt) How many times are we trying to reconnect when communicating with Identity API Server.</td>
+              </tr>
+              <tr>
+                       <td>include_service_catalog = True</td>
+                       <td>(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.</td>
+              </tr>
+              <tr>
+                       <td>insecure = False</td>
+                       <td>(BoolOpt) Verify HTTPS connections.</td>
+              </tr>
+              <tr>
+                       <td>keyfile = None</td>
+                       <td>(StrOpt) Required if Keystone server requires client certificate</td>
+              </tr>
+              <tr>
+                       <td>memcache_secret_key = None</td>
+                       <td>(StrOpt) (optional, mandatory if memcache_security_strategy is defined) this string is used for key derivation.</td>
+              </tr>
+              <tr>
+                       <td>memcache_security_strategy = None</td>
+                       <td>(StrOpt) (optional) if defined, indicate whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT.  If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.</td>
+              </tr>
+              <tr>
+                       <td>memcached_servers = None</td>
+                       <td>(ListOpt) Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.</td>
+              </tr>
+              <tr>
+                       <td>revocation_cache_time = 300</td>
+                       <td>(IntOpt) Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance.</td>
+              </tr>
+              <tr>
+                       <td>signing_dir = None</td>
+                       <td>(StrOpt) Directory used to cache files related to PKI tokens</td>
+              </tr>
+              <tr>
+                       <td>token_cache_time = 300</td>
+                       <td>(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.</td>
+              </tr>
+       </tbody>
+        </table>
+        </para>
diff --git a/doc/common/tables/neutron-auth_token.xml b/doc/common/tables/neutron-auth_token.xml
new file mode 100644
index 0000000000..d808a49836
--- /dev/null
+++ b/doc/common/tables/neutron-auth_token.xml
@@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="UTF-8"?>
+        <!-- Warning: Do not edit this file. It is automatically
+             generated and your changes will be overwritten.
+             The tool to do so lives in the tools directory of this
+             repository -->
+        <para xmlns="http://docbook.org/ns/docbook" version="5.0">
+        <table rules="all" xml:id="config_table_neutron_auth_token">
+          <caption>Description of configuration options for auth_token</caption>
+           <col width="50%"/>
+           <col width="50%"/>
+           <thead>
+              <tr>
+                  <th>Configuration option = Default value</th>
+                  <th>Description</th>
+              </tr>
+          </thead>
+          <tbody>
+              <tr>
+                  <th colspan="2">[DEFAULT]</th>
+              </tr>
+              <tr>
+                       <td>memcached_servers = None</td>
+                       <td>(ListOpt) Memcached servers or None for in process cache.</td>
+              </tr>
+              <tr>
+                  <th colspan="2">[keystone_authtoken]</th>
+              </tr>
+              <tr>
+                       <td>admin_password = None</td>
+                       <td>(StrOpt) Keystone account password</td>
+              </tr>
+              <tr>
+                       <td>admin_tenant_name = admin</td>
+                       <td>(StrOpt) Keystone service account tenant name to validate user tokens</td>
+              </tr>
+              <tr>
+                       <td>admin_token = None</td>
+                       <td>(StrOpt) Single shared secret with the Keystone configuration used for bootstrapping a Keystone installation, or otherwise bypassing the normal authentication process.</td>
+              </tr>
+              <tr>
+                       <td>admin_user = None</td>
+                       <td>(StrOpt) Keystone account username</td>
+              </tr>
+              <tr>
+                       <td>auth_admin_prefix = </td>
+                       <td>(StrOpt) Prefix to prepend at the beginning of the path</td>
+              </tr>
+              <tr>
+                       <td>auth_host = 127.0.0.1</td>
+                       <td>(StrOpt) Host providing the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_port = 35357</td>
+                       <td>(IntOpt) Port of the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_protocol = https</td>
+                       <td>(StrOpt) Protocol of the admin Identity API endpoint(http or https)</td>
+              </tr>
+              <tr>
+                       <td>auth_uri = None</td>
+                       <td>(StrOpt) Complete public Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_version = None</td>
+                       <td>(StrOpt) API version of the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>cache = None</td>
+                       <td>(StrOpt) Env key for the swift cache</td>
+              </tr>
+              <tr>
+                       <td>cafile = None</td>
+                       <td>(StrOpt) A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.</td>
+              </tr>
+              <tr>
+                       <td>certfile = None</td>
+                       <td>(StrOpt) Required if Keystone server requires client certificate</td>
+              </tr>
+              <tr>
+                       <td>delay_auth_decision = False</td>
+                       <td>(BoolOpt) Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components</td>
+              </tr>
+              <tr>
+                       <td>enforce_token_bind = permissive</td>
+                       <td>(StrOpt) Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.</td>
+              </tr>
+              <tr>
+                       <td>http_connect_timeout = None</td>
+                       <td>(BoolOpt) Request timeout value for communicating with Identity API server.</td>
+              </tr>
+              <tr>
+                       <td>http_request_max_retries = 3</td>
+                       <td>(IntOpt) How many times are we trying to reconnect when communicating with Identity API Server.</td>
+              </tr>
+              <tr>
+                       <td>include_service_catalog = True</td>
+                       <td>(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.</td>
+              </tr>
+              <tr>
+                       <td>insecure = False</td>
+                       <td>(BoolOpt) Verify HTTPS connections.</td>
+              </tr>
+              <tr>
+                       <td>keyfile = None</td>
+                       <td>(StrOpt) Required if Keystone server requires client certificate</td>
+              </tr>
+              <tr>
+                       <td>memcache_secret_key = None</td>
+                       <td>(StrOpt) (optional, mandatory if memcache_security_strategy is defined) this string is used for key derivation.</td>
+              </tr>
+              <tr>
+                       <td>memcache_security_strategy = None</td>
+                       <td>(StrOpt) (optional) if defined, indicate whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT.  If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.</td>
+              </tr>
+              <tr>
+                       <td>memcached_servers = None</td>
+                       <td>(ListOpt) Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.</td>
+              </tr>
+              <tr>
+                       <td>revocation_cache_time = 300</td>
+                       <td>(IntOpt) Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance.</td>
+              </tr>
+              <tr>
+                       <td>signing_dir = None</td>
+                       <td>(StrOpt) Directory used to cache files related to PKI tokens</td>
+              </tr>
+              <tr>
+                       <td>token_cache_time = 300</td>
+                       <td>(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.</td>
+              </tr>
+       </tbody>
+        </table>
+        </para>
diff --git a/doc/common/tables/nova-api.xml b/doc/common/tables/nova-api.xml
index 4941c8aa53..c48cc079d4 100644
--- a/doc/common/tables/nova-api.xml
+++ b/doc/common/tables/nova-api.xml
@@ -18,6 +18,10 @@
               <tr>
                   <th colspan="2">[DEFAULT]</th>
               </tr>
+              <tr>
+                       <td>api_rate_limit = False</td>
+                       <td>(BoolOpt) Whether to use per-user rate limiting for the api. This option is only used by v2 api. Rate limiting is removed from v3 api.</td>
+              </tr>
               <tr>
                        <td>enable_new_services = True</td>
                        <td>(BoolOpt) Services to be added to the available pool on create</td>
diff --git a/doc/common/tables/nova-auth_token.xml b/doc/common/tables/nova-auth_token.xml
new file mode 100644
index 0000000000..20fc823fbe
--- /dev/null
+++ b/doc/common/tables/nova-auth_token.xml
@@ -0,0 +1,127 @@
+<?xml version="1.0" encoding="UTF-8"?>
+        <!-- Warning: Do not edit this file. It is automatically
+             generated and your changes will be overwritten.
+             The tool to do so lives in the tools directory of this
+             repository -->
+        <para xmlns="http://docbook.org/ns/docbook" version="5.0">
+        <table rules="all" xml:id="config_table_nova_auth_token">
+          <caption>Description of configuration options for auth_token</caption>
+           <col width="50%"/>
+           <col width="50%"/>
+           <thead>
+              <tr>
+                  <th>Configuration option = Default value</th>
+                  <th>Description</th>
+              </tr>
+          </thead>
+          <tbody>
+              <tr>
+                  <th colspan="2">[keystone_authtoken]</th>
+              </tr>
+              <tr>
+                       <td>admin_password = None</td>
+                       <td>(StrOpt) Keystone account password</td>
+              </tr>
+              <tr>
+                       <td>admin_tenant_name = admin</td>
+                       <td>(StrOpt) Keystone service account tenant name to validate user tokens</td>
+              </tr>
+              <tr>
+                       <td>admin_token = None</td>
+                       <td>(StrOpt) Single shared secret with the Keystone configuration used for bootstrapping a Keystone installation, or otherwise bypassing the normal authentication process.</td>
+              </tr>
+              <tr>
+                       <td>admin_user = None</td>
+                       <td>(StrOpt) Keystone account username</td>
+              </tr>
+              <tr>
+                       <td>auth_admin_prefix = </td>
+                       <td>(StrOpt) Prefix to prepend at the beginning of the path</td>
+              </tr>
+              <tr>
+                       <td>auth_host = 127.0.0.1</td>
+                       <td>(StrOpt) Host providing the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_port = 35357</td>
+                       <td>(IntOpt) Port of the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_protocol = https</td>
+                       <td>(StrOpt) Protocol of the admin Identity API endpoint(http or https)</td>
+              </tr>
+              <tr>
+                       <td>auth_uri = None</td>
+                       <td>(StrOpt) Complete public Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_version = None</td>
+                       <td>(StrOpt) API version of the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>cache = None</td>
+                       <td>(StrOpt) Env key for the swift cache</td>
+              </tr>
+              <tr>
+                       <td>cafile = None</td>
+                       <td>(StrOpt) A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.</td>
+              </tr>
+              <tr>
+                       <td>certfile = None</td>
+                       <td>(StrOpt) Required if Keystone server requires client certificate</td>
+              </tr>
+              <tr>
+                       <td>delay_auth_decision = False</td>
+                       <td>(BoolOpt) Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components</td>
+              </tr>
+              <tr>
+                       <td>enforce_token_bind = permissive</td>
+                       <td>(StrOpt) Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.</td>
+              </tr>
+              <tr>
+                       <td>http_connect_timeout = None</td>
+                       <td>(BoolOpt) Request timeout value for communicating with Identity API server.</td>
+              </tr>
+              <tr>
+                       <td>http_request_max_retries = 3</td>
+                       <td>(IntOpt) How many times are we trying to reconnect when communicating with Identity API Server.</td>
+              </tr>
+              <tr>
+                       <td>include_service_catalog = True</td>
+                       <td>(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.</td>
+              </tr>
+              <tr>
+                       <td>insecure = False</td>
+                       <td>(BoolOpt) Verify HTTPS connections.</td>
+              </tr>
+              <tr>
+                       <td>keyfile = None</td>
+                       <td>(StrOpt) Required if Keystone server requires client certificate</td>
+              </tr>
+              <tr>
+                       <td>memcache_secret_key = None</td>
+                       <td>(StrOpt) (optional, mandatory if memcache_security_strategy is defined) this string is used for key derivation.</td>
+              </tr>
+              <tr>
+                       <td>memcache_security_strategy = None</td>
+                       <td>(StrOpt) (optional) if defined, indicate whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT.  If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.</td>
+              </tr>
+              <tr>
+                       <td>memcached_servers = None</td>
+                       <td>(ListOpt) Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.</td>
+              </tr>
+              <tr>
+                       <td>revocation_cache_time = 300</td>
+                       <td>(IntOpt) Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance.</td>
+              </tr>
+              <tr>
+                       <td>signing_dir = None</td>
+                       <td>(StrOpt) Directory used to cache files related to PKI tokens</td>
+              </tr>
+              <tr>
+                       <td>token_cache_time = 300</td>
+                       <td>(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.</td>
+              </tr>
+       </tbody>
+        </table>
+        </para>
diff --git a/doc/common/tables/nova-authentication.xml b/doc/common/tables/nova-authentication.xml
index f605f05693..9094434a02 100644
--- a/doc/common/tables/nova-authentication.xml
+++ b/doc/common/tables/nova-authentication.xml
@@ -18,10 +18,6 @@
               <tr>
                   <th colspan="2">[DEFAULT]</th>
               </tr>
-              <tr>
-                       <td>api_rate_limit = False</td>
-                       <td>(BoolOpt) Whether to use per-user rate limiting for the api. This option is only used by v2 api. Rate limiting is removed from v3 api.</td>
-              </tr>
               <tr>
                        <td>auth_strategy = noauth</td>
                        <td>(StrOpt) The strategy to use for auth: noauth or keystone.</td>
diff --git a/doc/common/tables/trove-auth_token.xml b/doc/common/tables/trove-auth_token.xml
new file mode 100644
index 0000000000..975c31a7fe
--- /dev/null
+++ b/doc/common/tables/trove-auth_token.xml
@@ -0,0 +1,134 @@
+<?xml version="1.0" encoding="UTF-8"?>
+        <!-- Warning: Do not edit this file. It is automatically
+             generated and your changes will be overwritten.
+             The tool to do so lives in the tools directory of this
+             repository -->
+        <para xmlns="http://docbook.org/ns/docbook" version="5.0">
+        <table rules="all" xml:id="config_table_trove_auth_token">
+          <caption>Description of configuration options for auth_token</caption>
+           <col width="50%"/>
+           <col width="50%"/>
+           <thead>
+              <tr>
+                  <th>Configuration option = Default value</th>
+                  <th>Description</th>
+              </tr>
+          </thead>
+          <tbody>
+              <tr>
+                  <th colspan="2">[DEFAULT]</th>
+              </tr>
+              <tr>
+                       <td>memcached_servers = None</td>
+                       <td>(ListOpt) Memcached servers or None for in process cache.</td>
+              </tr>
+              <tr>
+                  <th colspan="2">[keystone_authtoken]</th>
+              </tr>
+              <tr>
+                       <td>admin_password = None</td>
+                       <td>(StrOpt) Keystone account password</td>
+              </tr>
+              <tr>
+                       <td>admin_tenant_name = admin</td>
+                       <td>(StrOpt) Keystone service account tenant name to validate user tokens</td>
+              </tr>
+              <tr>
+                       <td>admin_token = None</td>
+                       <td>(StrOpt) Single shared secret with the Keystone configuration used for bootstrapping a Keystone installation, or otherwise bypassing the normal authentication process.</td>
+              </tr>
+              <tr>
+                       <td>admin_user = None</td>
+                       <td>(StrOpt) Keystone account username</td>
+              </tr>
+              <tr>
+                       <td>auth_admin_prefix = </td>
+                       <td>(StrOpt) Prefix to prepend at the beginning of the path</td>
+              </tr>
+              <tr>
+                       <td>auth_host = 127.0.0.1</td>
+                       <td>(StrOpt) Host providing the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_port = 35357</td>
+                       <td>(IntOpt) Port of the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_protocol = https</td>
+                       <td>(StrOpt) Protocol of the admin Identity API endpoint(http or https)</td>
+              </tr>
+              <tr>
+                       <td>auth_uri = None</td>
+                       <td>(StrOpt) Complete public Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>auth_version = None</td>
+                       <td>(StrOpt) API version of the admin Identity API endpoint</td>
+              </tr>
+              <tr>
+                       <td>cache = None</td>
+                       <td>(StrOpt) Env key for the swift cache</td>
+              </tr>
+              <tr>
+                       <td>cafile = None</td>
+                       <td>(StrOpt) A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.</td>
+              </tr>
+              <tr>
+                       <td>certfile = None</td>
+                       <td>(StrOpt) Required if Keystone server requires client certificate</td>
+              </tr>
+              <tr>
+                       <td>delay_auth_decision = False</td>
+                       <td>(BoolOpt) Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components</td>
+              </tr>
+              <tr>
+                       <td>enforce_token_bind = permissive</td>
+                       <td>(StrOpt) Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.</td>
+              </tr>
+              <tr>
+                       <td>http_connect_timeout = None</td>
+                       <td>(BoolOpt) Request timeout value for communicating with Identity API server.</td>
+              </tr>
+              <tr>
+                       <td>http_request_max_retries = 3</td>
+                       <td>(IntOpt) How many times are we trying to reconnect when communicating with Identity API Server.</td>
+              </tr>
+              <tr>
+                       <td>include_service_catalog = True</td>
+                       <td>(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.</td>
+              </tr>
+              <tr>
+                       <td>insecure = False</td>
+                       <td>(BoolOpt) Verify HTTPS connections.</td>
+              </tr>
+              <tr>
+                       <td>keyfile = None</td>
+                       <td>(StrOpt) Required if Keystone server requires client certificate</td>
+              </tr>
+              <tr>
+                       <td>memcache_secret_key = None</td>
+                       <td>(StrOpt) (optional, mandatory if memcache_security_strategy is defined) this string is used for key derivation.</td>
+              </tr>
+              <tr>
+                       <td>memcache_security_strategy = None</td>
+                       <td>(StrOpt) (optional) if defined, indicate whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT.  If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.</td>
+              </tr>
+              <tr>
+                       <td>memcached_servers = None</td>
+                       <td>(ListOpt) Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.</td>
+              </tr>
+              <tr>
+                       <td>revocation_cache_time = 300</td>
+                       <td>(IntOpt) Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance.</td>
+              </tr>
+              <tr>
+                       <td>signing_dir = None</td>
+                       <td>(StrOpt) Directory used to cache files related to PKI tokens</td>
+              </tr>
+              <tr>
+                       <td>token_cache_time = 300</td>
+                       <td>(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.</td>
+              </tr>
+       </tbody>
+        </table>
+        </para>
diff --git a/doc/config-reference/block-storage/section_misc.xml b/doc/config-reference/block-storage/section_misc.xml
index a8039be2a1..16d1b7da0f 100644
--- a/doc/config-reference/block-storage/section_misc.xml
+++ b/doc/config-reference/block-storage/section_misc.xml
@@ -10,6 +10,7 @@
       <filename>cinder.conf</filename> file.
     </para>
 
+    <xi:include href="../../common/tables/cinder-auth_token.xml"/>
     <xi:include href="../../common/tables/cinder-connection.xml"/>
     <xi:include href="../../common/tables/cinder-huawei.xml"/>
     <xi:include href="../../common/tables/cinder-nas.xml"/>
diff --git a/doc/config-reference/ch_databaseserviceconfigure.xml b/doc/config-reference/ch_databaseserviceconfigure.xml
index 0e90cdb9dc..e381af52ee 100644
--- a/doc/config-reference/ch_databaseserviceconfigure.xml
+++ b/doc/config-reference/ch_databaseserviceconfigure.xml
@@ -16,6 +16,7 @@
       Database Service configuration options.</para>
 
       <xi:include href="../common/tables/trove-api.xml"/>
+      <xi:include href="../common/tables/trove-auth_token.xml"/>
       <xi:include href="../common/tables/trove-backup.xml"/>
       <xi:include href="../common/tables/trove-common.xml"/>
       <xi:include href="../common/tables/trove-compute.xml"/>
diff --git a/doc/config-reference/ch_imageservice.xml b/doc/config-reference/ch_imageservice.xml
index 1450f4cae3..d2940c0849 100644
--- a/doc/config-reference/ch_imageservice.xml
+++ b/doc/config-reference/ch_imageservice.xml
@@ -26,6 +26,7 @@
 
     <para>You can modify many options in the OpenStack Image Service.
     The following tables provide a comprehensive list.</para>
+    <xi:include href="../common/tables/glance-auth_token.xml"/>
     <xi:include href="../common/tables/glance-common.xml"/>
     <xi:include href="../common/tables/glance-db.xml"/>
     <xi:include href="../common/tables/glance-imagecache.xml"/>
diff --git a/doc/config-reference/ch_orchestrationconfigure.xml b/doc/config-reference/ch_orchestrationconfigure.xml
index 7c42d43513..23126f546d 100644
--- a/doc/config-reference/ch_orchestrationconfigure.xml
+++ b/doc/config-reference/ch_orchestrationconfigure.xml
@@ -19,6 +19,7 @@
   <para>The following tables provide a comprehensive list of the Orchestration
       configuration options.</para>
 
+    <xi:include href="../common/tables/heat-auth_token.xml"/>
     <xi:include href="../common/tables/heat-common.xml"/>
     <xi:include href="../common/tables/heat-crypt.xml"/>
     <xi:include href="../common/tables/heat-database.xml"/>
diff --git a/doc/config-reference/compute/section_compute-options-reference.xml b/doc/config-reference/compute/section_compute-options-reference.xml
index 0f34a40615..4eaa77b9cc 100644
--- a/doc/config-reference/compute/section_compute-options-reference.xml
+++ b/doc/config-reference/compute/section_compute-options-reference.xml
@@ -10,6 +10,7 @@
     <xi:include href="../../common/tables/nova-api.xml"/>
     <xi:include href="../../common/tables/nova-apiv3.xml"/>
     <xi:include href="../../common/tables/nova-authentication.xml"/>
+    <xi:include href="../../common/tables/nova-auth_token.xml"/>
     <xi:include href="../../common/tables/nova-availabilityzones.xml"/>
     <xi:include href="../../common/tables/nova-baremetal.xml"/>
     <xi:include href="../../common/tables/nova-ca.xml"/>
diff --git a/doc/config-reference/networking/section_networking-options-reference.xml b/doc/config-reference/networking/section_networking-options-reference.xml
index 3fcf279df1..4c559ef94c 100644
--- a/doc/config-reference/networking/section_networking-options-reference.xml
+++ b/doc/config-reference/networking/section_networking-options-reference.xml
@@ -27,6 +27,12 @@
 <xi:include href="../../common/tables/neutron-api.xml"/>
 </section>
 
+<section xml:id="networking-options-auth_token">
+<title>Token authentication</title>
+<para>Use the following options to alter token authentication settings.</para>
+<xi:include href="../../common/tables/neutron-auth_token.xml"/>
+</section>
+
 <section xml:id="networking-options-compute">
 <title>Compute</title>
 <para>Use the following options to alter Compute-related settings.</para>
diff --git a/tools/autogenerate-config-flagmappings/cinder.flagmappings b/tools/autogenerate-config-flagmappings/cinder.flagmappings
index 5071d33747..d976ae81cc 100644
--- a/tools/autogenerate-config-flagmappings/cinder.flagmappings
+++ b/tools/autogenerate-config-flagmappings/cinder.flagmappings
@@ -141,6 +141,7 @@ max_age quota
 max_gigabytes storage
 max_header_line api
 max_luns_per_storage_group emc
+memcached_servers auth_token
 migration_create_volume_timeout_secs storage
 monkey_patch common
 monkey_patch_modules common
@@ -411,6 +412,32 @@ fc-zone-manager/zone_driver zoning_manager
 fc-zone-manager/zoning_policy zoning
 keymgr/api_class keymgr
 keymgr/fixed_key keymgr
+keystone_authtoken/admin_password auth_token
+keystone_authtoken/admin_tenant_name auth_token
+keystone_authtoken/admin_token auth_token
+keystone_authtoken/admin_user auth_token
+keystone_authtoken/auth_admin_prefix auth_token
+keystone_authtoken/auth_host auth_token
+keystone_authtoken/auth_port auth_token
+keystone_authtoken/auth_protocol auth_token
+keystone_authtoken/auth_uri auth_token
+keystone_authtoken/auth_version auth_token
+keystone_authtoken/cache auth_token
+keystone_authtoken/cafile auth_token
+keystone_authtoken/certfile auth_token
+keystone_authtoken/delay_auth_decision auth_token
+keystone_authtoken/enforce_token_bind auth_token
+keystone_authtoken/http_connect_timeout auth_token
+keystone_authtoken/http_request_max_retries auth_token
+keystone_authtoken/include_service_catalog auth_token
+keystone_authtoken/insecure auth_token
+keystone_authtoken/keyfile auth_token
+keystone_authtoken/memcache_secret_key auth_token
+keystone_authtoken/memcache_security_strategy auth_token
+keystone_authtoken/memcached_servers auth_token
+keystone_authtoken/revocation_cache_time auth_token
+keystone_authtoken/signing_dir auth_token
+keystone_authtoken/token_cache_time auth_token
 matchmaker_ring/ringfile rpc
 ssl/ca_file ssl
 ssl/cert_file ssl
diff --git a/tools/autogenerate-config-flagmappings/glance.flagmappings b/tools/autogenerate-config-flagmappings/glance.flagmappings
index 2535fd66a9..2f5970f595 100644
--- a/tools/autogenerate-config-flagmappings/glance.flagmappings
+++ b/tools/autogenerate-config-flagmappings/glance.flagmappings
@@ -77,6 +77,7 @@ logging_exception_prefix logging
 matchmaker_heartbeat_freq matchmaker
 matchmaker_heartbeat_ttl matchmaker
 max_header_line wsgi
+memcached_servers auth_token
 metadata_encryption_key common
 mongodb_store_db gridfs
 mongodb_store_uri gridfs
@@ -212,6 +213,32 @@ database/sqlite_synchronous db
 database/use_db_reconnect db
 image_format/container_formats common
 image_format/disk_formats common
+keystone_authtoken/admin_password auth_token
+keystone_authtoken/admin_tenant_name auth_token
+keystone_authtoken/admin_token auth_token
+keystone_authtoken/admin_user auth_token
+keystone_authtoken/auth_admin_prefix auth_token
+keystone_authtoken/auth_host auth_token
+keystone_authtoken/auth_port auth_token
+keystone_authtoken/auth_protocol auth_token
+keystone_authtoken/auth_uri auth_token
+keystone_authtoken/auth_version auth_token
+keystone_authtoken/cache auth_token
+keystone_authtoken/cafile auth_token
+keystone_authtoken/certfile auth_token
+keystone_authtoken/delay_auth_decision auth_token
+keystone_authtoken/enforce_token_bind auth_token
+keystone_authtoken/http_connect_timeout auth_token
+keystone_authtoken/http_request_max_retries auth_token
+keystone_authtoken/include_service_catalog auth_token
+keystone_authtoken/insecure auth_token
+keystone_authtoken/keyfile auth_token
+keystone_authtoken/memcache_secret_key auth_token
+keystone_authtoken/memcache_security_strategy auth_token
+keystone_authtoken/memcached_servers auth_token
+keystone_authtoken/revocation_cache_time auth_token
+keystone_authtoken/signing_dir auth_token
+keystone_authtoken/token_cache_time auth_token
 matchmaker_ring/ringfile matchmaker
 paste_deploy/config_file paste
 paste_deploy/flavor paste
diff --git a/tools/autogenerate-config-flagmappings/heat.flagmappings b/tools/autogenerate-config-flagmappings/heat.flagmappings
index eca47e309f..a7ece26b2b 100644
--- a/tools/autogenerate-config-flagmappings/heat.flagmappings
+++ b/tools/autogenerate-config-flagmappings/heat.flagmappings
@@ -53,6 +53,7 @@ max_nested_stack_depth quota
 max_resources_per_stack quota
 max_stacks_per_tenant quota
 max_template_size quota
+memcached_servers auth_token
 notification_driver amqp
 notification_topics amqp
 onready notification
@@ -191,6 +192,32 @@ heat_api_cloudwatch/cert_file cloudwatch_api
 heat_api_cloudwatch/key_file cloudwatch_api
 heat_api_cloudwatch/max_header_line cloudwatch_api
 heat_api_cloudwatch/workers cloudwatch_api
+keystone_authtoken/admin_password auth_token
+keystone_authtoken/admin_tenant_name auth_token
+keystone_authtoken/admin_token auth_token
+keystone_authtoken/admin_user auth_token
+keystone_authtoken/auth_admin_prefix auth_token
+keystone_authtoken/auth_host auth_token
+keystone_authtoken/auth_port auth_token
+keystone_authtoken/auth_protocol auth_token
+keystone_authtoken/auth_uri auth_token
+keystone_authtoken/auth_version auth_token
+keystone_authtoken/cache auth_token
+keystone_authtoken/cafile auth_token
+keystone_authtoken/certfile auth_token
+keystone_authtoken/delay_auth_decision auth_token
+keystone_authtoken/enforce_token_bind auth_token
+keystone_authtoken/http_connect_timeout auth_token
+keystone_authtoken/http_request_max_retries auth_token
+keystone_authtoken/include_service_catalog auth_token
+keystone_authtoken/insecure auth_token
+keystone_authtoken/keyfile auth_token
+keystone_authtoken/memcache_secret_key auth_token
+keystone_authtoken/memcache_security_strategy auth_token
+keystone_authtoken/memcached_servers auth_token
+keystone_authtoken/revocation_cache_time auth_token
+keystone_authtoken/signing_dir auth_token
+keystone_authtoken/token_cache_time auth_token
 matchmaker_redis/host redis
 matchmaker_redis/password redis
 matchmaker_redis/port redis
diff --git a/tools/autogenerate-config-flagmappings/keystone.flagmappings b/tools/autogenerate-config-flagmappings/keystone.flagmappings
index dfee4d151c..b0c779bb1d 100644
--- a/tools/autogenerate-config-flagmappings/keystone.flagmappings
+++ b/tools/autogenerate-config-flagmappings/keystone.flagmappings
@@ -47,6 +47,7 @@ max_request_body_size api
 max_token_size api
 member_role_id api
 member_role_name api
+memcached_servers auth_token
 notification_driver amqp
 notification_topics amqp
 onready notification
@@ -154,6 +155,32 @@ identity/domain_specific_drivers_enabled identity
 identity/driver identity
 identity/list_limit identity
 identity/max_password_length identity
+keystone_authtoken/admin_password auth_token
+keystone_authtoken/admin_tenant_name auth_token
+keystone_authtoken/admin_token auth_token
+keystone_authtoken/admin_user auth_token
+keystone_authtoken/auth_admin_prefix auth_token
+keystone_authtoken/auth_host auth_token
+keystone_authtoken/auth_port auth_token
+keystone_authtoken/auth_protocol auth_token
+keystone_authtoken/auth_uri auth_token
+keystone_authtoken/auth_version auth_token
+keystone_authtoken/cache auth_token
+keystone_authtoken/cafile auth_token
+keystone_authtoken/certfile auth_token
+keystone_authtoken/delay_auth_decision auth_token
+keystone_authtoken/enforce_token_bind auth_token
+keystone_authtoken/http_connect_timeout auth_token
+keystone_authtoken/http_request_max_retries auth_token
+keystone_authtoken/include_service_catalog auth_token
+keystone_authtoken/insecure auth_token
+keystone_authtoken/keyfile auth_token
+keystone_authtoken/memcache_secret_key auth_token
+keystone_authtoken/memcache_security_strategy auth_token
+keystone_authtoken/memcached_servers auth_token
+keystone_authtoken/revocation_cache_time auth_token
+keystone_authtoken/signing_dir auth_token
+keystone_authtoken/token_cache_time auth_token
 kvs/backends kvs
 kvs/config_prefix kvs
 kvs/default_lock_timeout kvs
diff --git a/tools/autogenerate-config-flagmappings/neutron.flagmappings b/tools/autogenerate-config-flagmappings/neutron.flagmappings
index 6e396f6cd9..0321f51700 100644
--- a/tools/autogenerate-config-flagmappings/neutron.flagmappings
+++ b/tools/autogenerate-config-flagmappings/neutron.flagmappings
@@ -91,6 +91,7 @@ max_request_body_size api
 max_routes quotas
 max_subnet_host_routes common
 measure_interval metering_agent
+memcached_servers auth_token
 meta_flavor_driver_mappings metadata
 metadata_backlog metadata
 metadata_port metadata
@@ -454,6 +455,32 @@ heleoslb/sync_interval embrane_lb
 hyperv/force_hyperv_utils_v1 hyperv_agent
 ipsec/config_base_dir vpn
 ipsec/ipsec_status_check_interval vpn
+keystone_authtoken/admin_password auth_token
+keystone_authtoken/admin_tenant_name auth_token
+keystone_authtoken/admin_token auth_token
+keystone_authtoken/admin_user auth_token
+keystone_authtoken/auth_admin_prefix auth_token
+keystone_authtoken/auth_host auth_token
+keystone_authtoken/auth_port auth_token
+keystone_authtoken/auth_protocol auth_token
+keystone_authtoken/auth_uri auth_token
+keystone_authtoken/auth_version auth_token
+keystone_authtoken/cache auth_token
+keystone_authtoken/cafile auth_token
+keystone_authtoken/certfile auth_token
+keystone_authtoken/delay_auth_decision auth_token
+keystone_authtoken/enforce_token_bind auth_token
+keystone_authtoken/http_connect_timeout auth_token
+keystone_authtoken/http_request_max_retries auth_token
+keystone_authtoken/include_service_catalog auth_token
+keystone_authtoken/insecure auth_token
+keystone_authtoken/keyfile auth_token
+keystone_authtoken/memcache_secret_key auth_token
+keystone_authtoken/memcache_security_strategy auth_token
+keystone_authtoken/memcached_servers auth_token
+keystone_authtoken/revocation_cache_time auth_token
+keystone_authtoken/signing_dir auth_token
+keystone_authtoken/token_cache_time auth_token
 l2pop/agent_boot_time ml2_l2pop
 matchmaker_redis/host redis
 matchmaker_redis/password redis
diff --git a/tools/autogenerate-config-flagmappings/nova.flagmappings b/tools/autogenerate-config-flagmappings/nova.flagmappings
index 70013154cd..370dd07657 100644
--- a/tools/autogenerate-config-flagmappings/nova.flagmappings
+++ b/tools/autogenerate-config-flagmappings/nova.flagmappings
@@ -9,7 +9,7 @@ allowed_rpc_exception_modules testing
 amqp_auto_delete rpc rpc_all
 amqp_durable_queues rpc rpc_all
 api_paste_config wsgi
-api_rate_limit authentication
+api_rate_limit api
 auth_strategy authentication
 auto_assign_floating_ip network
 backdoor_port testing
@@ -512,6 +512,32 @@ hyperv/vswitch_name hyperv
 image_file_url/filesystems glance
 keymgr/api_class keymgr
 keymgr/fixed_key keymgr
+keystone_authtoken/admin_password auth_token
+keystone_authtoken/admin_tenant_name auth_token
+keystone_authtoken/admin_token auth_token
+keystone_authtoken/admin_user auth_token
+keystone_authtoken/auth_admin_prefix auth_token
+keystone_authtoken/auth_host auth_token
+keystone_authtoken/auth_port auth_token
+keystone_authtoken/auth_protocol auth_token
+keystone_authtoken/auth_uri auth_token
+keystone_authtoken/auth_version auth_token
+keystone_authtoken/cache auth_token
+keystone_authtoken/cafile auth_token
+keystone_authtoken/certfile auth_token
+keystone_authtoken/delay_auth_decision auth_token
+keystone_authtoken/enforce_token_bind auth_token
+keystone_authtoken/http_connect_timeout auth_token
+keystone_authtoken/http_request_max_retries auth_token
+keystone_authtoken/include_service_catalog auth_token
+keystone_authtoken/insecure auth_token
+keystone_authtoken/keyfile auth_token
+keystone_authtoken/memcache_secret_key auth_token
+keystone_authtoken/memcache_security_strategy auth_token
+keystone_authtoken/memcached_servers auth_token
+keystone_authtoken/revocation_cache_time auth_token
+keystone_authtoken/signing_dir auth_token
+keystone_authtoken/token_cache_time auth_token
 libvirt/block_migration_flag hypervisor
 libvirt/checksum_base_images libvirt
 libvirt/checksum_interval_seconds libvirt
diff --git a/tools/autogenerate-config-flagmappings/trove.flagmappings b/tools/autogenerate-config-flagmappings/trove.flagmappings
index 04ca48e0c6..9955823b42 100644
--- a/tools/autogenerate-config-flagmappings/trove.flagmappings
+++ b/tools/autogenerate-config-flagmappings/trove.flagmappings
@@ -100,6 +100,7 @@ max_backups_per_user quota
 max_header_line api
 max_instances_per_user quota
 max_volumes_per_user quota
+memcached_servers auth_token
 mount_options guestagent
 network_label_regex logging
 notification_driver amqp
@@ -207,6 +208,32 @@ couchbase/mount_point db_couchbase
 couchbase/tcp_ports db_couchbase
 couchbase/udp_ports db_couchbase
 couchbase/usage_timeout db_couchbase
+keystone_authtoken/admin_password auth_token
+keystone_authtoken/admin_tenant_name auth_token
+keystone_authtoken/admin_token auth_token
+keystone_authtoken/admin_user auth_token
+keystone_authtoken/auth_admin_prefix auth_token
+keystone_authtoken/auth_host auth_token
+keystone_authtoken/auth_port auth_token
+keystone_authtoken/auth_protocol auth_token
+keystone_authtoken/auth_uri auth_token
+keystone_authtoken/auth_version auth_token
+keystone_authtoken/cache auth_token
+keystone_authtoken/cafile auth_token
+keystone_authtoken/certfile auth_token
+keystone_authtoken/delay_auth_decision auth_token
+keystone_authtoken/enforce_token_bind auth_token
+keystone_authtoken/http_connect_timeout auth_token
+keystone_authtoken/http_request_max_retries auth_token
+keystone_authtoken/include_service_catalog auth_token
+keystone_authtoken/insecure auth_token
+keystone_authtoken/keyfile auth_token
+keystone_authtoken/memcache_secret_key auth_token
+keystone_authtoken/memcache_security_strategy auth_token
+keystone_authtoken/memcached_servers auth_token
+keystone_authtoken/revocation_cache_time auth_token
+keystone_authtoken/signing_dir auth_token
+keystone_authtoken/token_cache_time auth_token
 matchmaker_redis/host redis
 matchmaker_redis/password redis
 matchmaker_redis/port redis

Configuration option = Default value	Description
[DEFAULT]
memcached_servers = None	(ListOpt) Memcached servers or None for in process cache.
[keystone_authtoken]
admin_password = None	(StrOpt) Keystone account password
admin_tenant_name = admin	(StrOpt) Keystone service account tenant name to validate user tokens
admin_token = None	(StrOpt) Single shared secret with the Keystone configuration used for bootstrapping a Keystone installation, or otherwise bypassing the normal authentication process.
admin_user = None	(StrOpt) Keystone account username
auth_admin_prefix =	(StrOpt) Prefix to prepend at the beginning of the path
auth_host = 127.0.0.1	(StrOpt) Host providing the admin Identity API endpoint
auth_port = 35357	(IntOpt) Port of the admin Identity API endpoint
auth_protocol = https	(StrOpt) Protocol of the admin Identity API endpoint(http or https)
auth_uri = None	(StrOpt) Complete public Identity API endpoint
auth_version = None	(StrOpt) API version of the admin Identity API endpoint
cache = None	(StrOpt) Env key for the swift cache
cafile = None	(StrOpt) A PEM encoded Certificate Authority to use when verifying HTTPs connections. Defaults to system CAs.
certfile = None	(StrOpt) Required if Keystone server requires client certificate
delay_auth_decision = False	(BoolOpt) Do not handle authorization requests within the middleware, but delegate the authorization decision to downstream WSGI components
enforce_token_bind = permissive	(StrOpt) Used to control the use and type of token binding. Can be set to: "disabled" to not check token binding. "permissive" (default) to validate binding information if the bind type is of a form known to the server and ignore it if not. "strict" like "permissive" but if the bind type is unknown the token will be rejected. "required" any form of token binding is needed to be allowed. Finally the name of a binding method that must be present in tokens.
http_connect_timeout = None	(BoolOpt) Request timeout value for communicating with Identity API server.
http_request_max_retries = 3	(IntOpt) How many times are we trying to reconnect when communicating with Identity API Server.
include_service_catalog = True	(BoolOpt) (optional) indicate whether to set the X-Service-Catalog header. If False, middleware will not ask for service catalog on token validation and will not set the X-Service-Catalog header.
insecure = False	(BoolOpt) Verify HTTPS connections.
keyfile = None	(StrOpt) Required if Keystone server requires client certificate
memcache_secret_key = None	(StrOpt) (optional, mandatory if memcache_security_strategy is defined) this string is used for key derivation.
memcache_security_strategy = None	(StrOpt) (optional) if defined, indicate whether token data should be authenticated or authenticated and encrypted. Acceptable values are MAC or ENCRYPT. If MAC, token data is authenticated (with HMAC) in the cache. If ENCRYPT, token data is encrypted and authenticated in the cache. If the value is not one of these options or empty, auth_token will raise an exception on initialization.
memcached_servers = None	(ListOpt) Optionally specify a list of memcached server(s) to use for caching. If left undefined, tokens will instead be cached in-process.
revocation_cache_time = 300	(IntOpt) Determines the frequency at which the list of revoked tokens is retrieved from the Identity service (in seconds). A high number of revocation events combined with a low cache duration may significantly reduce performance.
signing_dir = None	(StrOpt) Directory used to cache files related to PKI tokens
token_cache_time = 300	(IntOpt) In order to prevent excessive effort spent validating tokens, the middleware caches previously-seen tokens for a configurable duration (in seconds). Set to -1 to disable caching completely.