diff --git a/security/custom_authenticator.rst b/security/custom_authenticator.rst
index 8dbeeaf287a..60604fce11b 100644
--- a/security/custom_authenticator.rst
+++ b/security/custom_authenticator.rst
@@ -49,7 +49,11 @@ method that fits most use-cases::
                 throw new CustomUserMessageAuthenticationException('No API token provided');
             }
 
-            return new SelfValidatingPassport(new UserBadge($apiToken));
+            // implement your own logic to get the user identifier from `$apiToken`
+            // e.g. by finding one user in database by its API key
+            $userIdentifier = /** ... */;
+
+            return new SelfValidatingPassport(new UserBadge($userIdentifier));
         }
 
         public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response