diff --git a/observability/otel/otel-collector/otel-collector-exporters.adoc b/observability/otel/otel-collector/otel-collector-exporters.adoc
index 3c916bfdc292..16f0ee1d44d1 100644
--- a/observability/otel/otel-collector/otel-collector-exporters.adoc
+++ b/observability/otel/otel-collector/otel-collector-exporters.adoc
@@ -43,7 +43,10 @@ The OTLP gRPC Exporter exports traces and metrics by using the OpenTelemetry pro
           insecure_skip_verify: false # # <4>
           reload_interval: 1h # <5>
           server_name_override: <name> # <6>
-        headers: # <7>
+          tpm:
+            enabled: false  # <7>
+            path: /dev/tpmrm0 # <8>
+        headers: # <9>
           X-Scope-OrgID: "dev"
     service:
       pipelines:
@@ -59,7 +62,9 @@ The OTLP gRPC Exporter exports traces and metrics by using the OpenTelemetry pro
 <4> Skips verifying the certificate when set to `true`. The default value is `false`.
 <5> Specifies the time interval at which the certificate is reloaded. If the value is not set, the certificate is never reloaded. The `reload_interval` accepts a string containing valid units of time such as `ns`, `us` (or `µs`), `ms`, `s`, `m`, `h`.
 <6> Overrides the virtual host name of authority such as the authority header field in requests. You can use this for testing.
-<7> Headers are sent for every request performed during an established connection.
+<7> Enables reading the TSS2 private key (`key_file`) from Trusted Platform Module (TPM). The default value is `false`.
+<8> The path to the TPM device. The path must be provided if the TPM is enabled.
+<9> Headers are sent for every request performed during an established connection.
 
 [id="otlp-http-exporter_{context}"]
 == OTLP HTTP Exporter