diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2edd8ce22..9ab1dcacf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -23,7 +23,7 @@ Unreleased changes are available as `avenga/couper:edge` container.
 
 * [**Beta**](./docs/BETA.md)
   * `beta_scope_claim` attribute to [`jwt` block](./docs/REFERENCE.md#jwt-block); `beta_scope` attribute to [`api`](./docs/REFERENCE.md#api-block) and [`endpoint` block](./docs/REFERENCE.md#endpoint-block)s; [error types](./docs/ERRORS.md#error-types) `beta_operation_denied` and `beta_insufficient_scope` ([#315](https://github.com/avenga/couper/pull/315))
-  * `beta_role_claim` and `beta_role_map` attributes to [`jwt` block](./docs/REFERENCE.md#jwt-block) ([#325](https://github.com/avenga/couper/pull/325))
+  * `beta_role_claim` and `beta_role_map` attributes to [`jwt` block](./docs/REFERENCE.md#jwt-block) ([#325](https://github.com/avenga/couper/pull/325)) ([#338](https://github.com/avenga/couper/pull/338))
 
 * **Dependencies**
   * build with go 1.17 ([#331](https://github.com/avenga/couper/pull/331))
diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md
index 4c6cc3960..d30b5deb9 100644
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -353,7 +353,7 @@ required _label_.
 | `required_claims`      |string|-|List of claim names that must be given for a valid token |-|`required_claims = ["role"]`|
 | `beta_scope_claim` |string|-|name of claim specifying the scope of token|The claim value must either be a string containing a space-separated list of scope values or a list of string scope values|`beta_scope_claim = "scope"`|
 | `beta_role_claim` |string|-|name of claim specifying the roles of the user represented by the token|The claim value must either be a string containing a space-separated list of role values or a list of string role values|`beta_role_claim = "role"`|
-| `beta_role_map` |string|-|mapping of roles to scope values|-|`beta_role_map = { role1 = ["scope1", "scope2"], role2 = ["scope3"] }`|
+| `beta_role_map` |string|-| mapping of roles to scope values | Non-mapped roles can be assigned with `*` to specific claims. |`beta_role_map = { role1 = ["scope1", "scope2"], role2 = ["scope3"], "*" = ["public"] }`|
 | `jwks_url` | string | - | URI pointing to a set of [JSON Web Keys (RFC 7517)](https://datatracker.ietf.org/doc/html/rfc7517) | - | `jwks_url = "http://identityprovider:8080/jwks.json"` |
 | `jwks_ttl` | [duration](#duration) | `"1h"` | Time period the JWK set stays valid and may be cached. | - | `jwks_ttl = "1800s"` |
 | `backend`  | string| - | [backend reference](#backend-block) for enhancing JWKS requests| - | `backend = "jwks_backend"` |