diff --git a/lib/modules/manager/circleci/readme.md b/lib/modules/manager/circleci/readme.md
index 39533ff501f755db98e6466a9d6ebf377819c3d6..8b02aa3d36ef60f2affc5aad2dace59c027beab8 100644
--- a/lib/modules/manager/circleci/readme.md
+++ b/lib/modules/manager/circleci/readme.md
@@ -1,3 +1,29 @@
 The `circleci` manager extracts both `docker` as well as `orb` datasources from CircleCI config files.
 
 If you need to change the versioning format, read the [versioning](https://docs.renovatebot.com/modules/versioning/) documentation to learn more.
+
+### Private orbs
+
+To get private orbs working you should:
+
+1. Encrypt your CircleCI token with the [Renovate encryption page](https://app.renovatebot.com/encrypt)
+1. Create a new `hostRules` entry in your Renovate config file
+1. Put the encrypted token in the `token` field
+
+The end-result should look like this:
+
+```json
+{
+  "hostRules": [
+    {
+      "matchHost": "circleci.com",
+      "authType": "Token-Only",
+      "encrypted": {
+        "token": "****"
+      }
+    }
+  ]
+}
+```
+
+This config strips the Bearer/Basic prefix from the `authorization` header.