From 9f18a0a70c9228f5892594c6b56425b8bed1899f Mon Sep 17 00:00:00 2001
From: mickael emirkanian <mickael.emirkanian@docker.com>
Date: Fri, 15 May 2026 14:07:45 -0400
Subject: [PATCH] docs: clarify authz content type

update based on the logic in https://github.com/moby/moby/blob/0686f57c3d942ce4440f9ed7f2e955de3687dd4e/pkg/authorization/authz.go#L177

Signed-off-by: mickael emirkanian <mickael.emirkanian@docker.com>
---
 docs/extend/plugins_authorization.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/docs/extend/plugins_authorization.md b/docs/extend/plugins_authorization.md
index 232d5f1e6d06..2380d370db11 100644
--- a/docs/extend/plugins_authorization.md
+++ b/docs/extend/plugins_authorization.md
@@ -75,8 +75,10 @@ Each request sent to the plugin includes the authenticated user, the HTTP
 headers, and the request/response body. Only the user name and the
 authentication method used are passed to the plugin. Most importantly, no user
 credentials or tokens are passed. Finally, not all request/response bodies
-are sent to the authorization plugin. Only those request/response bodies where
-the `Content-Type` is either `text/*` or `application/json` are sent.
+are sent to the authorization plugin. Only request/response bodies where
+the `Content-Type` is `application/json` are sent to the authorization plugin;
+bodies of any other `Content-Type` are not visible to the plugin and cannot
+be used for enforcement, even though the daemon may still act on this data.
 
 For commands that can potentially hijack the HTTP connection (`HTTP
 Upgrade`), such as `exec`, the authorization plugin is only called for the