diff --git a/docs/operator-manual/sso.md b/docs/operator-manual/sso.md
index 0679bd3167..67b98469a4 100644
--- a/docs/operator-manual/sso.md
+++ b/docs/operator-manual/sso.md
@@ -86,6 +86,8 @@ NOTES:
 
 * Any values which start with '$' will look to a key in argocd-secret of the same name (minus the $),
   to obtain the actual value. This allows you to store the `clientSecret` as a kubernetes secret.
+    * If you are editing the secret using `kubectl edit secret` remember that the `data` field expects a base64 encoded value (`echo -n "<CLIENT_SECRET>" | base64`).
+    * The error: *Failed to authenticate: github: get user: github: get URL Get https://api.github.com/user: oauth2: token expired and refresh token is not set* can be attributed to the secret value not being interpreted correctly by dex (e.g. incorrect client secret value).
 * There is no need to set `redirectURI` in the `connectors.config` as shown in the dex documentation.
   Argo CD will automatically use the correct `redirectURI` for any OAuth2 connectors, to match the
   correct external callback URL (e.g. https://argocd.example.com/api/dex/callback)