diff --git a/README.md b/README.md
index 86cdddef..dbb0b77b 100644
--- a/README.md
+++ b/README.md
@@ -64,6 +64,16 @@ well as a web variant tailored toward Rack-based applications.
 The authorizers are intended for authorization use cases. For sign-on,
 see [Google Identity Platform](https://developers.google.com/identity/)
 
+## Important notes
+
+If you accept a credential configuration (credential JSON/File/Stream) from an
+external source for authentication to Google Cloud Platform, you must validate
+it before providing it to any Google API or library. Providing an unvalidated
+credential configuration to Google APIs can compromise the security of your
+systems and data.
+For more information, refer to [Validate credential configurations from external
+sources](https://cloud.google.com/docs/authentication/external/externally-sourced-credentials).
+
 ### Example (Web)
 
 ```ruby