diff --git a/authority/provisioner/aws.go b/authority/provisioner/aws.go
index a4fd3e9f..29d937e9 100644
--- a/authority/provisioner/aws.go
+++ b/authority/provisioner/aws.go
@@ -115,6 +115,12 @@ type awsInstanceIdentityDocument struct {
 // If DisableTrustOnFirstUse is true, multiple sign request for this provisioner
 // with the same instance will be accepted. By default only the first request
 // will be accepted.
+//
+// If InstanceAge is set, only the instances with an pendingTime within the
+// given period will be accepted.
+//
+// Amazon Identity docs are available at
+// https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
 type AWS struct {
 	Type                   string   `json:"type"`
 	Name                   string   `json:"name"`
diff --git a/authority/provisioner/azure.go b/authority/provisioner/azure.go
index d0157bd0..6ec69095 100644
--- a/authority/provisioner/azure.go
+++ b/authority/provisioner/azure.go
@@ -74,6 +74,10 @@ type azurePayload struct {
 // If DisableTrustOnFirstUse is true, multiple sign request for this provisioner
 // with the same instance will be accepted. By default only the first request
 // will be accepted.
+//
+// Microsoft Azure identity docs are available at
+// https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token
+// and https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service
 type Azure struct {
 	Type                   string   `json:"type"`
 	Name                   string   `json:"name"`
diff --git a/authority/provisioner/gcp.go b/authority/provisioner/gcp.go
index 421ec77e..71f4413a 100644
--- a/authority/provisioner/gcp.go
+++ b/authority/provisioner/gcp.go
@@ -66,6 +66,12 @@ func newGCPConfig() *gcpConfig {
 // If DisableTrustOnFirstUse is true, multiple sign request for this provisioner
 // with the same instance will be accepted. By default only the first request
 // will be accepted.
+//
+// If InstanceAge is set, only the instances with an instance_creation_timestamp
+// within the given period will be accepted.
+//
+// Google Identity docs are available at
+// https://cloud.google.com/compute/docs/instances/verifying-instance-identity
 type GCP struct {
 	Type                   string   `json:"type"`
 	Name                   string   `json:"name"`