diff --git a/docs/enterprise/install/helm.md b/docs/enterprise/install/helm.md
index f7d56c491..81eee94b3 100644
--- a/docs/enterprise/install/helm.md
+++ b/docs/enterprise/install/helm.md
@@ -162,3 +162,7 @@ kubectl delete svc pomerium-proxy
 
 [Pomerium using Helm]: /docs/install/helm.md
 [cert-manager]: https://cert-manager.io/docs/
+
+### Generate Recovery Token
+
+!!!include(generate-recovery-token.md)!!!
diff --git a/docs/enterprise/install/img/recovery-token.png b/docs/enterprise/install/img/recovery-token.png
new file mode 120000
index 000000000..b89316549
--- /dev/null
+++ b/docs/enterprise/install/img/recovery-token.png
@@ -0,0 +1 @@
+../../../partials/img/recovery-token.png
\ No newline at end of file
diff --git a/docs/enterprise/install/quickstart.md b/docs/enterprise/install/quickstart.md
index c0e9741fa..91948a086 100644
--- a/docs/enterprise/install/quickstart.md
+++ b/docs/enterprise/install/quickstart.md
@@ -212,3 +212,9 @@ audience: console.localhost.pomerium.com
 ## Next Steps
 
 Pomerium Enterprise assumes access to a [Prometheus](https://prometheus.io/) data store for metrics. See [Prometheus Metrics](/enterprise/prometheus.md) to learn how to configure access.
+
+## Troubleshooting
+
+### Generate Recovery Token
+
+!!!include(generate-recovery-token.md)!!!
\ No newline at end of file
diff --git a/docs/partials/generate-recovery-token.md b/docs/partials/generate-recovery-token.md
new file mode 100644
index 000000000..c3804c3c2
--- /dev/null
+++ b/docs/partials/generate-recovery-token.md
@@ -0,0 +1,17 @@
+There could arise several situations that prevent Pomerium from authenticating users to Pomerium Enterprise. In these situations, you may be presented with the recovery sign in page:
+
+![Pomerium Enterprise Recovery Sign In](./img/recovery-token.png)
+
+This page requires a recovery token. To generate a token, run the `pomerium-console generate-recovery token` with the following flags:
+
+| Flag                        | Description |
+| --------------------------- | ----------- |
+| `--database-encryption-key` | base64-encoded encryption key for encrypting sensitive data in the database. |
+| `--database-url`            | The database to connect to (default "`postgresql://pomerium:pomerium@localhost:5432/dashboard?sslmode=disable`"). |
+| `--namespace`               | The namespace to use (default "`9d8dbd2c-8cce-4e66-9c1f-c490b4a07243`" for Global). |
+| `--out`                     | Where to save the JWT. If not specified, it will be printed to stdout. |
+| `--ttl`                     | The amount of time before the recovery token expires. Requires a unit (example: `30s`, `5m`).|
+
+::: tip
+You can run the `pomerium-console` binary from any device with access to the database.
+:::
\ No newline at end of file
diff --git a/docs/partials/img/recovery-token.png b/docs/partials/img/recovery-token.png
new file mode 100644
index 000000000..17c97ad51
Binary files /dev/null and b/docs/partials/img/recovery-token.png differ