diff --git a/draft-ietf-wimse-s2s-protocol.md b/draft-ietf-wimse-s2s-protocol.md
index bb259ae..0b2608b 100644
--- a/draft-ietf-wimse-s2s-protocol.md
+++ b/draft-ietf-wimse-s2s-protocol.md
@@ -313,7 +313,7 @@ A WPT contains the following:
     * `exp`: The expiration time of the WIT (as defined in {{Section 4.1.4 of RFC7519}}). WPT lifetimes MUST be short,
      e.g., on the order of minutes or seconds.
     * `jti`: A unique identifier for the token.
-    * `wth`: Hash of the Workload Identity Token. The value, as per {{TODO}}, is the base64url encoding of the SHA-256
+    * `wth`: Hash of the Workload Identity Token. The value, as defined in {{to-wit}}, is the base64url encoding of the SHA-256
      hash of the ASCII encoding of the token's value.
     * `ath`: Hash of the OAuth access token, if present in the request, which might convey end-user identity and
      authorization context of the request. The value, as per {{Section 4.1 of RFC9449}},