diff --git a/.speakeasy/workflow.yaml b/.speakeasy/workflow.yaml
index 1586eb0e..ddd657a0 100644
--- a/.speakeasy/workflow.yaml
+++ b/.speakeasy/workflow.yaml
@@ -15,6 +15,7 @@ sources:
             - location: overlays/custom-metadata-modifications-overlay.yaml
             - location: overlays/agent-modifications-overlay.yaml
             - location: overlays/admin-modifications-overlay.yaml
+            - location: overlays/oauth-client-security-overlay.yaml
         output: overlayed_specs/glean-merged-spec.yaml
         registry:
             location: registry.speakeasyapi.dev/glean-el2/sdk/glean-api-specs
@@ -29,6 +30,7 @@ sources:
             - location: overlays/client-modifications-overlay.yaml
             - location: overlays/agent-modifications-overlay.yaml
             - location: overlays/admin-modifications-overlay.yaml
+            - location: overlays/oauth-client-security-overlay.yaml
         output: overlayed_specs/glean-client-api-specs.yaml
     glean-client-merged-code-samples-spec:
         inputs:
diff --git a/overlays/oauth-client-security-overlay.yaml b/overlays/oauth-client-security-overlay.yaml
new file mode 100644
index 00000000..75427742
--- /dev/null
+++ b/overlays/oauth-client-security-overlay.yaml
@@ -0,0 +1,29 @@
+overlay: 1.0.0
+x-speakeasy-jsonpath: rfc9535
+info:
+  title: OAuth Client API security
+  version: 0.0.1
+# A Glean API token and an OAuth access token are both HTTP bearer credentials,
+# so the existing single APIToken security scheme already covers both — no
+# separate OAuth security scheme is required, and the generated SDKs keep their
+# existing flat `apiToken` constructor field. This overlay only clarifies the
+# scheme description to document OAuth usage.
+#
+# External-IdP OAuth tokens additionally require the `X-Glean-Auth-Type: OAUTH`
+# request header, which the caller supplies (e.g. a per-request header option on
+# the SDKs, or a custom HTTP client). Glean-issued OAuth tokens (Glean OAuth
+# Authorization Server, including Dynamic Client Registration clients) are
+# detected by issuer and need no header.
+#
+# OAuth applies to the Client API only; the Indexing API accepts Glean-issued
+# tokens exclusively.
+actions:
+  - target: $.components.securitySchemes.APIToken
+    update:
+      description: >-
+        HTTP bearer token. Accepts a Glean-issued API token, an OAuth access
+        token from the Glean OAuth Authorization Server (including Dynamic Client
+        Registration clients), or an OAuth access token issued by an external
+        identity provider. External-IdP OAuth tokens must also include the
+        `X-Glean-Auth-Type: OAUTH` request header. OAuth is supported on the
+        Client API only; the Indexing API requires a Glean-issued token.