diff --git a/docs/docs.json b/docs/docs.json
index 2ae1bfd1624..d48e423ba27 100644
--- a/docs/docs.json
+++ b/docs/docs.json
@@ -838,7 +838,8 @@
                   "documentation/platform/kms/overview",
                   "documentation/platform/kms/hsm-integration",
                   "documentation/platform/kms/kubernetes-encryption",
-                  "documentation/platform/kms/kmip"
+                  "documentation/platform/kms/kmip",
+                  "documentation/platform/kms/sigstore-cosign"
                 ]
               }
             ]
diff --git a/docs/documentation/platform/kms/sigstore-cosign.mdx b/docs/documentation/platform/kms/sigstore-cosign.mdx
new file mode 100644
index 00000000000..b077926c29c
--- /dev/null
+++ b/docs/documentation/platform/kms/sigstore-cosign.mdx
@@ -0,0 +1,71 @@
+---
+title: "Sigstore Cosign Integration"
+description: "Sign and verify container images and artifacts using Infisical KMS with Sigstore Cosign."
+---
+
+Infisical KMS integrates with [Sigstore Cosign](https://github.com/sigstore/cosign) through the [sigstore-kms-infisical](https://github.com/Infisical/sigstore-kms-infisical) plugin, enabling you to sign and verify container images and artifacts using keys managed in Infisical.
+
+### KMS Plugin Capabilities
+
+| Capability | Supported |
+| ---------- | --------- |
+| DefaultAlgorithm | RSA_4096 |
+| SupportedAlgorithms | RSA_4096, ECC_NIST_P256 |
+| CreateKey | ✅ |
+| PublicKey | ✅ |
+| SignMessage | ✅ |
+| VerifyMessage | ✅ |
+
+## Setup
+
+<Steps>
+  <Step title="Install the Plugin">
+    For the Sigstore library to invoke the plugin, the binary must be in your system's `PATH`.
+
+    ```bash
+    git clone https://github.com/Infisical/sigstore-kms-infisical.git
+    cd sigstore-kms-infisical
+    go build -o sigstore-kms-infisical
+    cp sigstore-kms-infisical /usr/local/bin
+    ```
+  </Step>
+
+  <Step title="Configure Environment Variables">
+    The plugin uses environment variables for authentication. Currently only [Machine Identity Universal Auth](/documentation/platform/identities/universal-auth) is supported.
+
+    Set the following environment variables:
+
+    ```bash
+    export INFISICAL_SITE_URL="https://app.infisical.com"
+    export INFISICAL_UNIVERSAL_AUTH_CLIENT_ID="<machine-identity-client-id>"
+    export INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET="<machine-identity-client-secret>"
+    export INFISICAL_PROJECT_ID="<infisical-kms-project-id>"
+    ```
+
+    <Note>
+      For self-hosted Infisical instances, set `INFISICAL_SITE_URL` to your instance's URL.
+    </Note>
+  </Step>
+</Steps>
+
+## Usage
+
+### Signing a Container Image
+
+```bash
+cosign sign --key "infisical://{KMS_KEY_NAME}" --tlog-upload=false my-repo/image:v1
+```
+
+### Verifying a Container Image
+
+```bash
+cosign verify --key "infisical://{KMS_KEY_NAME}" --insecure-ignore-tlog=true my-repo/image:v1
+```
+
+### Creating a New Key Pair
+
+```bash
+cosign generate-key-pair --kms infisical://{NEW_KEY_NAME}
+```
+
+This creates an RSA 4096 KMS key with the specified name, which you can then use for signing and verification.