--- a/doc/upgrading.txt	Tue Jul 18 23:18:09 2023 -0400
+++ b/doc/upgrading.txt	Wed Jul 19 20:37:45 2023 -0400
@@ -92,6 +92,42 @@
 
 .. index:: Upgrading; 2.2.0 to 2.3.0
 
+Migrating from 2.3.0 to 2.4.0
+=============================
+
+Update your ``config.ini`` (required)
+-------------------------------------
+
+Upgrade tracker's config.ini file. Use::
+
+  roundup-admin -i /path/to/tracker updateconfig newconfig.ini
+
+to generate a new ini file preserving all your settings.
+You can then merge any local comments from the tracker's
+``config.ini`` to ``newconfig.ini`` and replace
+``config.ini`` with ``newconfig.ini``.
+
+``updateconfig`` will tell you if it is changing old default
+values or if a value must be changed manually.
+
+This will insert the bad API login rate limiting settings.
+
+Bad Login Rate Limiting and Locking (info)
+------------------------------------------
+
+Brute force logins have been rate limited in the HTML web interface
+for a while. This was not the case with the API interfaces.
+
+This release introduces rate limiting for invalid REST or XMLRPC API
+logins.  As with the web interface, users who have hit the rate limit
+have their accounts locked until after the recommended delay time has
+passed.  See `information on configuring the API rate limits`_ for
+details.
+
+.. _`information on configuring the API rate limits`: rest.html#rate-limiting-api-failed-logins
+
+.. index:: Upgrading; 2.2.0 to 2.3.0
+
 Migrating from 2.2.0 to 2.3.0
 =============================