diff --git a/docs/docs/configuration/auth/providers.mdx b/docs/docs/configuration/auth/providers.mdx
index 3d3cca0a..7fda085a 100644
--- a/docs/docs/configuration/auth/providers.mdx
+++ b/docs/docs/configuration/auth/providers.mdx
@@ -36,7 +36,9 @@ The following authentication providers require an [enterprise license](/docs/lic
 Authentication using both a **GitHub OAuth App** and a **GitHub App** is supported. In both cases, you must provide Sourcebot the `CLIENT_ID` and `SECRET_ID` and configure the 
 callback URL correctly (more info in Auth.js docs). 
 
-When using a **GitHub App**, enable the `“Email addresses” account permissions (read)` permission to allow Sourcebot to read the email of the user from GitHub after they authenticate.
+When using a **GitHub App** for auth, enable the following permissions:
+- `“Email addresses” account permissions (read)`
+- `"Metadata" repository permissions (read)` (only needed if enabling [permission syncing](/docs/features/permission-syncing))
 
 **Required environment variables:**
 - `AUTH_EE_GITHUB_CLIENT_ID`