diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 676c11261..7e49e0ba0 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -1730,6 +1730,15 @@ static inline unsigned int mbedtls_ssl_conf_get_ems_enforced(
 #define MBEDTLS_ALWAYS_INLINE
 #endif
 
+/* This internal function can be used to pend a fatal alert for
+ * later delivery.
+ *
+ * The check for pending alerts must be done manually. Currently,
+ * it happens only during the handshake loop.
+ *
+ * This function must not be called multiple times without manually
+ * inspecting and clearing ssl->pending_fatal_alert_msg in between.
+ */
 MBEDTLS_ALWAYS_INLINE static inline int mbedtls_ssl_pend_fatal_alert(
     mbedtls_ssl_context *ssl,
     unsigned char message )