diff --git a/refresh_osbs_odcs_oicd_token.md b/refresh_osbs_odcs_oicd_token.md
new file mode 100644
index 0000000..1241017
--- /dev/null
+++ b/refresh_osbs_odcs_oicd_token.md
@@ -0,0 +1,24 @@
+# How to refresh the odcs oidc token used by OSBS
+
+OSBS needs to trigger composes to ODCS for flatpak build, this is done using an OIDC token to authenticate the requests.
+This token expires every 365 days so it needs to be regenerated every year.
+
+## Generate a new token
+In the ansible repo run the following command:
+
+    scripts/generate-oidc-token osbs -e 365 -s https://id.fedoraproject.org/scope/groups -s https://pagure.io/odcs/new-compose -s https://pagure.io/odcs/renew-compose -s https://pagure.io/odcs/delete-compose
+
+
+Follow the instructions given by the script and run the SQL command on the ipsilon database server:
+
+    ssh db-fas01.iad2.fedoraproject.org
+    sudo -u postgres -i ipsilon
+    ipsilon=# BEGIN;
+    ....
+    ipsilon=# COMMIT;
+
+Save the value of the token generated by the script in the ansible-private repo under `ansible-private/files/osbs/production/odcs-oidc-token` (same needs to be done for the staging cluster)
+
+## Deploy the change
+
+Run the following playbook to deploy the new token `ansible-playbook /srv/web/infra/ansible/playbooks/groups/osbs/configure-osbs.yml`