diff --git a/changelogs/client_server/newsfragments/3151.feature b/changelogs/client_server/newsfragments/3151.feature
new file mode 100644
index 000000000..a6aa98e9f
--- /dev/null
+++ b/changelogs/client_server/newsfragments/3151.feature
@@ -0,0 +1 @@
+Document how clients can simplify usage of Secure Secret Storage ([MSC2874](https://github.com/uhoreg/matrix-doc/pull/new/single_ssss_spec)).
diff --git a/content/client-server-api/modules/secrets.md b/content/client-server-api/modules/secrets.md
index b4ae8c027..897ea1964 100644
--- a/content/client-server-api/modules/secrets.md
+++ b/content/client-server-api/modules/secrets.md
@@ -42,7 +42,7 @@ passphrases](#deriving-keys-from-passphrases).
 
 | Parameter  | Type      | Description
 |------------|-----------|-------------------------------------------------------------------------------------------------------------------------------------|
-| name       | string    | **Required.** The name of the key.                                                                                                  |
+| name       | string    | Optional. The name of the key. If not given, the client may use a generic name such as "Unnamed key", or "Default key" if the key is marked as the default key (see below). |
 | algorithm  | string    | **Required.** The encryption algorithm to be used for this key. Currently, only `m.secret_storage.v1.aes-hmac-sha2` is supported.   |
 | passphrase | string    | See [deriving keys from passphrases](#deriving-keys-from-passphrases) section for a description of this property.                   |
 
@@ -56,6 +56,18 @@ will be used to encrypt all secrets that the user would expect to be
 available on all their clients. Unless the user specifies otherwise,
 clients will try to use the default key to decrypt secrets.
 
+Clients that want to present a simplified interface to users by not supporting
+multiple keys should use the default key if one is specified. If not default
+key is specified, the client may behave as if there is no key is present at
+all. When such a client creates a key, it should mark that key as being the
+default key.
+
+`DefaultKey`
+
+| Parameter  | Type      | Description
+|------------|-----------|------------------------------------------|
+| key        | string    | **Required.** The ID of the default key. |
+
 ##### Secret storage
 
 Encrypted data is stored in the user's account\_data using the event
@@ -118,6 +130,16 @@ and the key descriptions for the keys would be:
 }
 ```
 
+If `key_id_1` is the default key, then we also have:
+
+`m.secret_storage.default_key`:
+
+```
+{
+  "key": "key_id_1"
+}
+```
+
 ###### `m.secret_storage.v1.aes-hmac-sha2`
 
 Secrets encrypted using the `m.secret_storage.v1.aes-hmac-sha2`