diff --git a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md
index 7335193a0a5..e2277aade56 100644
--- a/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md
+++ b/docs/content/reference/api/github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto.sk.md
@@ -1499,7 +1499,7 @@ added to the `AuthorizationRequest` state under the "api_key_value" key name.
 | `headersFromMetadataEntry` | `map<string, map<string, bool>>` | API key structures might contain additional data (e.g. the ID of the user that the API key belongs to) in the form of extra fields included in the API key metadata structure. This configuration can be used to add this data to the headers of successfully authenticated requests. Each key in the map represents the name of header to be added; the corresponding value determines the key in the API key metadata structure that will be inspected to determine the value for the header. When the provided API key token has been successfully validated, and this field has been configured, then any extra API key metadata fields that were able to be discovered will be added to the `AuthorizationRequest` state under the key name that was configured. For example, using the `x-user-name` string as the header name, and referencing an existing "user-email" API key metadata entry will result in the value of this "user-email" metadata entry being accessable in other auth modules in the `AuthorizationRequest.State["x-user-name"]` key. This behavior allows other modules (e.g. OPA) to build more powerful rules to further validate the contents of the extra API key metadata than what's possible using the standalone API key module. |
 | `k8SSecretApikeyStorage` | [.enterprise.gloo.solo.io.K8sSecretApiKeyStorage](../extauth.proto.sk/#k8ssecretapikeystorage) |  Only one of `k8sSecretApikeyStorage` or `aerospikeApikeyStorage` can be set. |
 | `aerospikeApikeyStorage` | [.enterprise.gloo.solo.io.AerospikeApiKeyStorage](../extauth.proto.sk/#aerospikeapikeystorage) |  Only one of `aerospikeApikeyStorage` or `k8sSecretApikeyStorage` can be set. |
-| `skipMetadataValidation` | `bool` |  |
+| `skipMetadataValidation` | `bool` | API key metadata may contain data is is invalid for a header, such as a newline. By default, this data will be validated in the data plane and mitigated in a way that provides a consistent experience for the user and visibility for the operator. This validation comes with a performance cost, and can be disabled by setting this field to `true`. |
 
 
 
@@ -2711,7 +2711,7 @@ These values will be encoded in a basic auth header in order to authenticate the
 | `headersFromKeyMetadata` | `map<string, string>` | Determines the key metadata that will be included as headers on the upstream request. Each entry represents a header to add: the key is the name of the header, and the value is the key that will be used to look up the data entry in the key metadata. |
 | `k8SSecretApikeyStorage` | [.enterprise.gloo.solo.io.K8sSecretApiKeyStorage](../extauth.proto.sk/#k8ssecretapikeystorage) |  Only one of `k8sSecretApikeyStorage` or `aerospikeApikeyStorage` can be set. |
 | `aerospikeApikeyStorage` | [.enterprise.gloo.solo.io.AerospikeApiKeyStorage](../extauth.proto.sk/#aerospikeapikeystorage) |  Only one of `aerospikeApikeyStorage` or `k8sSecretApikeyStorage` can be set. |
-| `skipMetadataValidation` | `bool` |  |
+| `skipMetadataValidation` | `bool` | API key metadata may contain data is is invalid for a header, such as a newline. By default, this data will be validated in the data plane and mitigated in a way that provides a consistent experience for the user and visibility for the operator. This validation comes with a performance cost, and can be disabled by setting this field to `true`. |
 
 
 
diff --git a/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto b/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto
index 0933d413315..b664de8f378 100644
--- a/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto
+++ b/projects/gloo/api/v1/enterprise/options/extauth/v1/extauth.proto
@@ -1167,6 +1167,9 @@ message ApiKeyAuth {
         bool required = 2;
     }
 
+    // API key metadata may contain data is is invalid for a header, such as a newline. By default, this data will be validated
+    // in the data plane and mitigated in a way that provides a consistent experience for the user and visibility for the operator.
+    // This validation comes with a performance cost, and can be disabled by setting this field to `true`.
     bool skip_metadata_validation = 8;
 }
 message K8sSecretApiKeyStorage {
@@ -2121,6 +2124,9 @@ message ExtAuthConfig {
             AerospikeApiKeyStorage aerospike_apikey_storage = 5;
         }
 
+    // API key metadata may contain data is is invalid for a header, such as a newline. By default, this data will be validated
+    // in the data plane and mitigated in a way that provides a consistent experience for the user and visibility for the operator.
+    // This validation comes with a performance cost, and can be disabled by setting this field to `true`.
         bool skip_metadata_validation = 6;
     }
 
diff --git a/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.go b/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.go
index 055e9765399..722edc3c488 100644
--- a/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.go
+++ b/projects/gloo/pkg/api/v1/enterprise/options/extauth/v1/extauth.pb.go
@@ -3245,8 +3245,11 @@ type ApiKeyAuth struct {
 	//
 	//	*ApiKeyAuth_K8SSecretApikeyStorage
 	//	*ApiKeyAuth_AerospikeApikeyStorage
-	StorageBackend         isApiKeyAuth_StorageBackend `protobuf_oneof:"storage_backend"`
-	SkipMetadataValidation bool                        `protobuf:"varint,8,opt,name=skip_metadata_validation,json=skipMetadataValidation,proto3" json:"skip_metadata_validation,omitempty"`
+	StorageBackend isApiKeyAuth_StorageBackend `protobuf_oneof:"storage_backend"`
+	// API key metadata may contain data is is invalid for a header, such as a newline. By default, this data will be validated
+	// in the data plane and mitigated in a way that provides a consistent experience for the user and visibility for the operator.
+	// This validation comes with a performance cost, and can be disabled by setting this field to `true`.
+	SkipMetadataValidation bool `protobuf:"varint,8,opt,name=skip_metadata_validation,json=skipMetadataValidation,proto3" json:"skip_metadata_validation,omitempty"`
 }
 
 func (x *ApiKeyAuth) Reset() {
@@ -8766,8 +8769,11 @@ type ExtAuthConfig_ApiKeyAuthConfig struct {
 	//
 	//	*ExtAuthConfig_ApiKeyAuthConfig_K8SSecretApikeyStorage
 	//	*ExtAuthConfig_ApiKeyAuthConfig_AerospikeApikeyStorage
-	StorageBackend         isExtAuthConfig_ApiKeyAuthConfig_StorageBackend `protobuf_oneof:"storage_backend"`
-	SkipMetadataValidation bool                                            `protobuf:"varint,6,opt,name=skip_metadata_validation,json=skipMetadataValidation,proto3" json:"skip_metadata_validation,omitempty"`
+	StorageBackend isExtAuthConfig_ApiKeyAuthConfig_StorageBackend `protobuf_oneof:"storage_backend"`
+	// API key metadata may contain data is is invalid for a header, such as a newline. By default, this data will be validated
+	// in the data plane and mitigated in a way that provides a consistent experience for the user and visibility for the operator.
+	// This validation comes with a performance cost, and can be disabled by setting this field to `true`.
+	SkipMetadataValidation bool `protobuf:"varint,6,opt,name=skip_metadata_validation,json=skipMetadataValidation,proto3" json:"skip_metadata_validation,omitempty"`
 }
 
 func (x *ExtAuthConfig_ApiKeyAuthConfig) Reset() {