diff --git a/api/v1beta3/auth_config_types.go b/api/v1beta3/auth_config_types.go
index b498a662..7ec574a2 100644
--- a/api/v1beta3/auth_config_types.go
+++ b/api/v1beta3/auth_config_types.go
@@ -356,12 +356,20 @@ type ApiKeyAuthenticationSpec struct {
 	// +kubebuilder:default:=false
 	AllNamespaces bool `json:"allNamespaces,omitempty"`
 
-	// A Common Expression Language (CEL) expression that evaluates to a list of string keys within the selected Kubernetes
-	// secret that contain valid API credentials. The keys of the selected Kubernetes secret are available for evaluation
-	// in the following structure: `{"keys": ["key1", "key2"]}`.
-	// Authorino will attempt to authenticate using any matching key. If no keys are defined, the default "api_key" will be used.
-	// If no match is found, the Kubernetes secret is not considered a valid Authorino API Key secret and is ignored.
-	// String expressions are supported (https://pkg.go.dev/github.com/google/cel-go/ext#Strings).
+	// A Common Expression Language (CEL) expression that evaluates to a list of string keys, such as `["custom_key1", "custom_key2"]`,
+	// within the selected Kubernetes secret that contains valid API credentials.
+	//
+	// The keys of the selected Kubernetes secret are available for evaluation in the following structure:
+	// `{"keys": ["api_key", "custom_key1", "custom_key2"]}`.
+	//
+	// For example, to select keys that start with "custom", use the following CEL expression:
+	// `"keys.filter(k, k.startsWith('custom'))"`
+	//
+	// Authorino will attempt to authenticate using any matching key. If this field is omitted or empty, the default `["api_key"]` will be used.
+	// If no match is found, the Kubernetes secret is not considered a valid Authorino API Key secret and will be ignored.
+	//
+	// String expressions are supported: https://pkg.go.dev/github.com/google/cel-go/ext#Strings
+	//
 	// +optional
 	KeySelector CelExpression `json:"keySelector,omitempty"`
 }
diff --git a/install/crd/authorino.kuadrant.io_authconfigs.yaml b/install/crd/authorino.kuadrant.io_authconfigs.yaml
index ff1e8429..5b47f73b 100644
--- a/install/crd/authorino.kuadrant.io_authconfigs.yaml
+++ b/install/crd/authorino.kuadrant.io_authconfigs.yaml
@@ -2395,12 +2395,23 @@ spec:
                           type: boolean
                         keySelector:
                           description: |-
-                            A Common Expression Language (CEL) expression that evaluates to a list of string keys within the selected Kubernetes
-                            secret that contain valid API credentials. The keys of the selected Kubernetes secret are available for evaluation
-                            in the following structure: `{"keys": ["key1", "key2"]}`.
-                            Authorino will attempt to authenticate using any matching key. If no keys are defined, the default "api_key" will be used.
-                            If no match is found, the Kubernetes secret is not considered a valid Authorino API Key secret and is ignored.
-                            String expressions are supported (https://pkg.go.dev/github.com/google/cel-go/ext#Strings).
+                            A Common Expression Language (CEL) expression that evaluates to a list of string keys, such as `["custom_key1", "custom_key2"]`,
+                            within the selected Kubernetes secret that contains valid API credentials.
+
+
+                            The keys of the selected Kubernetes secret are available for evaluation in the following structure:
+                            `{"keys": ["api_key", "custom_key1", "custom_key2"]}`.
+
+
+                            For example, to select keys that start with "custom", use the following CEL expression:
+                            `"keys.filter(k, k.startsWith('custom'))"`
+
+
+                            Authorino will attempt to authenticate using any matching key. If this field is omitted or empty, the default `["api_key"]` will be used.
+                            If no match is found, the Kubernetes secret is not considered a valid Authorino API Key secret and will be ignored.
+
+
+                            String expressions are supported: https://pkg.go.dev/github.com/google/cel-go/ext#Strings
                           type: string
                         selector:
                           description: Label selector used by Authorino to match secrets
diff --git a/install/manifests.yaml b/install/manifests.yaml
index bac1404c..f9cbe24a 100644
--- a/install/manifests.yaml
+++ b/install/manifests.yaml
@@ -2662,12 +2662,23 @@ spec:
                           type: boolean
                         keySelector:
                           description: |-
-                            A Common Expression Language (CEL) expression that evaluates to a list of string keys within the selected Kubernetes
-                            secret that contain valid API credentials. The keys of the selected Kubernetes secret are available for evaluation
-                            in the following structure: `{"keys": ["key1", "key2"]}`.
-                            Authorino will attempt to authenticate using any matching key. If no keys are defined, the default "api_key" will be used.
-                            If no match is found, the Kubernetes secret is not considered a valid Authorino API Key secret and is ignored.
-                            String expressions are supported (https://pkg.go.dev/github.com/google/cel-go/ext#Strings).
+                            A Common Expression Language (CEL) expression that evaluates to a list of string keys, such as `["custom_key1", "custom_key2"]`,
+                            within the selected Kubernetes secret that contains valid API credentials.
+
+
+                            The keys of the selected Kubernetes secret are available for evaluation in the following structure:
+                            `{"keys": ["api_key", "custom_key1", "custom_key2"]}`.
+
+
+                            For example, to select keys that start with "custom", use the following CEL expression:
+                            `"keys.filter(k, k.startsWith('custom'))"`
+
+
+                            Authorino will attempt to authenticate using any matching key. If this field is omitted or empty, the default `["api_key"]` will be used.
+                            If no match is found, the Kubernetes secret is not considered a valid Authorino API Key secret and will be ignored.
+
+
+                            String expressions are supported: https://pkg.go.dev/github.com/google/cel-go/ext#Strings
                           type: string
                         selector:
                           description: Label selector used by Authorino to match secrets
diff --git a/pkg/evaluators/identity/api_key.go b/pkg/evaluators/identity/api_key.go
index 13de4c77..a9e7bddb 100644
--- a/pkg/evaluators/identity/api_key.go
+++ b/pkg/evaluators/identity/api_key.go
@@ -205,7 +205,7 @@ func (a *APIKey) getValuesFromSecret(ctx context.Context, secret k8s.Secret) []s
 	// Convert evaluated result to a slice of strings
 	selectedKeys, ok := convertToStringSlice(evaluated)
 	if !ok {
-		logger.Error(fmt.Errorf("unexpected type for resolved key"), "expected string or []string", "value", evaluated)
+		logger.Error(fmt.Errorf("unexpected type for resolved key"), "expected []string", "value", evaluated)
 		return nil
 	}