diff --git a/lib/krb5/krb5_encrypt.3 b/lib/krb5/krb5_encrypt.3
index 9199fcb2d..3fa865c9b 100644
--- a/lib/krb5/krb5_encrypt.3
+++ b/lib/krb5/krb5_encrypt.3
@@ -41,6 +41,7 @@
 .Nm krb5_crypto_getpadsize ,
 .Nm krb5_decrypt ,
 .Nm krb5_decrypt_EncryptedData ,
+.Nm krb5_decrypt_ticket ,
 .Nm krb5_encrypt ,
 .Nm krb5_encrypt_EncryptedData,
 .Nm krb5_enctype_disable ,
@@ -62,6 +63,8 @@ Kerberos 5 Library (libkrb5, -lkrb5)
 .Ft krb5_error_code
 .Fn krb5_decrypt_EncryptedData "krb5_context context" "krb5_crypto crypto" "unsigned usage" "EncryptedData *e" "krb5_data *result"
 .Ft krb5_error_code
+.Fn krb5_decrypt_ticket "krb5_context context" "Ticket *ticket" "krb5_keyblock *key" "EncTicketPart *out" "krb5_flags flags"
+.Ft krb5_error_code
 .Fo krb5_crypto_getblocksize
 .Fa "krb5_context context"
 .Fa "size_t *blocksize"
@@ -140,6 +143,15 @@ and
 .Fn krb5_decrypt_EncryptedData
 works similarly.
 .Pp
+.Fn krb5_decrypt_ticket
+decrypts the encrypted part of 
+.Fa ticket
+with
+.Fa key .
+.Fn krb5_decrypt_ticket
+also verifies the timestamp in the ticket, invalid flag and if the KDC
+haven't verified the transited path, the transit path.
+.Pp
 .Fn krb5_enctype_keysize ,
 .Fn krb5_crypto_getconfoundersize ,
 .Fn krb5_crypto_getblocksize ,