Merge pull request #4050 from hhunter-ms/issue_3680

Clarify documentation around `dapr-api-token`

daprdocs/content/en/operations/security/api-token.md

@@ -88,7 +88,11 @@ kubectl rollout restart deployment/<deployment-name> --namespace <namespace-name
 
 ## Adding API token to client API invocations
 
-Once token authentication is configured in Dapr, all clients invoking Dapr API will have to append the API token token to every request:
+Once token authentication is configured in Dapr, all clients invoking Dapr API need to append the `dapr-api-token` token to every request. 
+
+> **Note:** The Dapr SDKs read the [DAPR_API_TOKEN]({{< ref environment >}}) environment variable and set it for you by default.
+
+<img src="/images/tokens-auth.png" width=800 style="padding-bottom:15px;">
 
 ### HTTP
 

daprdocs/content/en/operations/security/app-api-token.md

@@ -89,11 +89,13 @@ kubectl rollout restart deployment/<deployment-name> --namespace <namespace-name
 
 ## Authenticating requests from Dapr
 
-Once app token authentication is configured in Dapr, all requests *coming from Dapr* include the token.
+Once app token authentication is configured using the environment variable or Kubernetes secret `app-api-token`, the Dapr sidecar always includes the HTTP header/gRPC metadata `dapr-api-token: <token>` in the calls to the app. From the app side, ensure you are authenticating using the `dapr-api-token` value which uses the `app-api-token` you set to authenticate requests from Dapr.
+
+<img src="/images/tokens-auth.png" width=800 style="padding-bottom:15px;">
 
 ### HTTP
 
-In case of HTTP, in your code look for the HTTP header `dapr-api-token` in incoming requests:
+In your code, look for the HTTP header `dapr-api-token` in incoming requests:
 
 ```text
 dapr-api-token: <token>