diff --git a/breaking/action.yml b/breaking/action.yml
index 178b1a8..16e0ddb 100644
--- a/breaking/action.yml
+++ b/breaking/action.yml
@@ -61,9 +61,9 @@ inputs:
     required: false
     default: 'true'
   github-token:
-    description: 'GitHub token used to post the review link as a pull-request comment, so reviewers see it on the PR instead of only in the job summary. Pass the built-in github.token and grant the job permissions: pull-requests: write. Optional; when omitted the link is written only to the job summary. On fork pull requests the token is read-only, so commenting is skipped and the link falls back to the job summary.'
+    description: 'GitHub token used to post the review link as a pull-request comment, so reviewers see it on the PR instead of only in the job summary. Defaults to the built-in github.token, so the comment is posted automatically when the job grants permissions: pull-requests: write. Set to an empty string to disable the comment (the link then appears only in the job summary). On fork pull requests the token is read-only, so commenting is skipped and the link falls back to the job summary.'
     required: false
-    default: ''
+    default: ${{ github.token }}
 outputs:
   breaking:
     description: 'Output summary of API breaking changes, encompassing both warnings and errors'
diff --git a/breaking/entrypoint.sh b/breaking/entrypoint.sh
index 1a63510..d0031b8 100755
--- a/breaking/entrypoint.sh
+++ b/breaking/entrypoint.sh
@@ -66,9 +66,11 @@ post_review_comment () {
         body="${marker}
 ### 📋 [View the side-by-side API change review](${review_url})
 
-See exactly what changed, in context. Share this link with your team: anyone can open the review, no install and no account needed. It expires in 7 days.
+The link expires in 7 days.
 
-🔒 Your specs stay private. They're encrypted before upload, and only this link can unlock them. [How it works →](https://www.oasdiff.com/docs/free-review#privacy)"
+🔒 Your API specs are encrypted in CI before they're uploaded. The decryption key stays in this link's URL fragment (after the #), which browsers never send to a server, so oasdiff cannot read your specs. [How it works →](https://www.oasdiff.com/docs/free-review#privacy)
+
+<sub>Posted automatically by the [oasdiff GitHub Action](https://www.oasdiff.com/docs/free-review#github-action). To turn this off (no spec upload, no comment), set \`review: false\` on the action.</sub>"
     elif [ -n "$existing_id" ]; then
         body="${marker}
 ### ✅ No breaking changes in the latest revision."
diff --git a/changelog/action.yml b/changelog/action.yml
index e915a6e..4d47dc9 100644
--- a/changelog/action.yml
+++ b/changelog/action.yml
@@ -64,9 +64,9 @@ inputs:
     required: false
     default: 'true'
   github-token:
-    description: 'GitHub token used to post the review link as a pull-request comment, so reviewers see it on the PR instead of only in the job summary. Pass the built-in github.token and grant the job permissions: pull-requests: write. Optional; when omitted the link is written only to the job summary. On fork pull requests the token is read-only, so commenting is skipped and the link falls back to the job summary.'
+    description: 'GitHub token used to post the review link as a pull-request comment, so reviewers see it on the PR instead of only in the job summary. Defaults to the built-in github.token, so the comment is posted automatically when the job grants permissions: pull-requests: write. Set to an empty string to disable the comment (the link then appears only in the job summary). On fork pull requests the token is read-only, so commenting is skipped and the link falls back to the job summary.'
     required: false
-    default: ''
+    default: ${{ github.token }}
 outputs:
   changelog:
     description: 'Output summary of API changelog'
diff --git a/changelog/entrypoint.sh b/changelog/entrypoint.sh
index ba41f09..94da126 100755
--- a/changelog/entrypoint.sh
+++ b/changelog/entrypoint.sh
@@ -85,9 +85,11 @@ post_review_comment () {
         body="${marker}
 ### 📋 [View the side-by-side API change review](${review_url})
 
-See exactly what changed, in context. Share this link with your team: anyone can open the review, no install and no account needed. It expires in 7 days.
+The link expires in 7 days.
 
-🔒 Your specs stay private. They're encrypted before upload, and only this link can unlock them. [How it works →](https://www.oasdiff.com/docs/free-review#privacy)"
+🔒 Your API specs are encrypted in CI before they're uploaded. The decryption key stays in this link's URL fragment (after the #), which browsers never send to a server, so oasdiff cannot read your specs. [How it works →](https://www.oasdiff.com/docs/free-review#privacy)
+
+<sub>Posted automatically by the [oasdiff GitHub Action](https://www.oasdiff.com/docs/free-review#github-action). To turn this off (no spec upload, no comment), set \`review: false\` on the action.</sub>"
     elif [ -n "$existing_id" ]; then
         body="${marker}
 ### ✅ No API changes in the latest revision."