diff --git a/README.md b/README.md
index eb88d93..da9b9e2 100644
--- a/README.md
+++ b/README.md
@@ -25,6 +25,12 @@ tag, or opt-in to [use a full Git commit SHA] and Dependabot.
 
 ### Trusted publishing
 
+> [!NOTE] Trusted publishing cannot be used from within a reusable workflow at this
+> time. It is recommended to instead create a non-reusable workflow that contains a
+> job calling your reusable workflow, and then do the trusted publishing step from
+> a separate job within that non-reusable workflow. Alternatively, you can still
+> use a username/token inside the reusable workflow.
+
 > [!NOTE]
 > Trusted publishing is sometimes referred to by its
 > underlying technology -- OpenID Connect, or OIDC for short.
diff --git a/oidc-exchange.py b/oidc-exchange.py
index b7c6f2d..781a181 100644
--- a/oidc-exchange.py
+++ b/oidc-exchange.py
@@ -71,6 +71,9 @@ If a claim is not present in the claim set, then it is rendered as `MISSING`.
 * `repository_owner_id`: `{repository_owner_id}`
 * `job_workflow_ref`: `{job_workflow_ref}`
 * `ref`: `{ref}`
+
+See https://docs.pypi.org/trusted-publishers/troubleshooting/ for more help.
+
 """
 
 # Rendered if the package index's token response isn't valid JSON.