diff --git a/CHANGELOG.md b/CHANGELOG.md
index 62ae77f8..5f35f68d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,11 +2,30 @@
 
 ## [Unreleased](https://github.com/GoogleCloudPlatform/healthcare-federated-access-services/tree/HEAD)
 
-[Full Changelog](https://github.com/GoogleCloudPlatform/healthcare-federated-access-services/compare/v0.9.2...HEAD)
+[Full Changelog](https://github.com/GoogleCloudPlatform/healthcare-federated-access-services/compare/v0.9.3...HEAD)
+
+## [v0.9.3](https://github.com/GoogleCloudPlatform/healthcare-federated-access-services/tree/v0.9.3)
+
+[Full Changelog](https://github.com/GoogleCloudPlatform/healthcare-federated-access-services/compare/v0.9.2...v0.9.3)
 
 **Migration**
 
-*  Need to import `permissions` file in IC and DAM into datastore, for test setup just run `import.bash`
+*  Need to import `permissions` file in IC and DAM into datastore, for test setup just run `import.bash` with `-t`
+
+**Highlight Updates**
+
+*  Implements token management endpoints:
+
+  *  List tokens of user: `GET /(identity|dam)/v1alpha/users/{user}/tokens`
+  *  Delete token of user: `DELETE /(identity|dam)/v1alpha/users/{user}/tokens/{token_id}`
+
+*  Implements audit logs endpoints:
+
+  *  List audit logs of user `GET /(identity|dam)/v1alpha/users/{user}/auditlogs`.
+
+*  Passport Visa [Embedded Document format](https://github.com/ga4gh/data-security/blob/master/AAI/AAIConnectProfile.md#embedded-document-token-format) restriction:
+
+     *  JKU URL in the JWT header is now restricted to issuer's domain as found in the `iss` claim, otherwise the visa will be rejected.
 
 ## [v0.9.2](https://github.com/GoogleCloudPlatform/healthcare-federated-access-services/tree/v0.9.2)
 
diff --git a/apis.md b/apis.md
index a5666fc4..07066774 100644
--- a/apis.md
+++ b/apis.md
@@ -103,11 +103,6 @@ SCIM-like endpoints have the following user management limitations:
 *  Only a limited number of object attributes (i.e. object fields) are available
    for PATCH. For example, `primary` for emails and `value` for photos.
 
-The following are Consents Management endpoints:
-
-*  "/identity/v1alpha/{realm}/users/{user}/consents": list user remembered consents.
-*  "/identity/v1alpha/{realm}/users/{user}/consents/{consent_id}": revoke user remembered consent.
-
 #### Account Linking
 
 You can link accounts using the following extension to SCIM V2:
@@ -202,12 +197,25 @@ filter for that object. For example:
 
 #### Tokens and Consents
 
-The following token and consents are used:
+The following are Consents Management endpoints:
+
+*  "/identity/v1alpha/{realm}/users/{user}/consents": list user remembered consents.
+*  "/identity/v1alpha/{realm}/users/{user}/consents/{consent_id}": revoke user remembered consent.
+
+The following are Token Management endpoints:
+
+*  "/identity/v1alpha/{realm}/users/{user}/tokens": list user tokens.
+*  "/identity/v1alpha/{realm}/users/{user}/tokens/{token_id}": delete user token.
+
+#### Audit logs
+
+*  "/identity/v1alpha/{realm}/users/{user}/auditlogs": view auditlogs of user.
+
+    *  Required user token or admin token
+    *  `page_size` type int, required query param
+    *  `page_token` type string, query param, not required, used to access next page of auditlogs
+    *  `filter` type string, query param, not required, only supports filter by time in RFC3339. example: `time>=2020-01-01T01:00:00Z AND time<=2020-01-10T01:00:00Z`
 
-*  "/tokens": token management. For more information, see
-   "proto/tokens/v1/consents.proto".
-*  "/consents": consent management. For more information, see
-   "proto/tokens/v1/tokens.proto".
 
 ### Non-Admin Configuration Endpoints
 
@@ -280,6 +288,15 @@ The following implements a subset of [SCIM V2 API](https://tools.ietf.org/html/r
 
 See the IC's SCIM notes for limitations of use that also apply to the DAM.
 
+The following are Token Management endpoints:
+
+*  "/dam/v1alpha/{realm}/users/{user}/tokens": list user tokens.
+*  "/dam/v1alpha/{realm}/users/{user}/tokens/{token_id}": delete user token.
+
+### Audit logs
+
+*  "/dam/v1alpha/{realm}/users/{user}/auditlogs": view auditlogs of user.
+
 ### Non-Admin Configuration Endpoints
 
 The following provide read-only access to non-admins for various parts of
diff --git a/dam.md b/dam.md
index a530a2d2..8ad88a7a 100644
--- a/dam.md
+++ b/dam.md
@@ -331,13 +331,13 @@ production systems and validate the configs are correct before pushing them to
 deployments.
 
 ```
-./import.bash -e <environment> ic
+./import.bash -p <project> -e <environment> -t <import_type> ic
 ```
 
 or
 
 ```
-./import.bash -e <environment> dam
+./import.bash -p <project> -e <environment> -t <import_type> dam
 ```
 
 ## Appendix A: Three Layer Auth Flow