diff --git a/tests/docs/kms-bootstrap-onboard.md b/tests/docs/kms-bootstrap-onboard.md
index f3b60f80..9b810160 100644
--- a/tests/docs/kms-bootstrap-onboard.md
+++ b/tests/docs/kms-bootstrap-onboard.md
@@ -26,7 +26,7 @@ It also includes a compact deny-case matrix for common service-rejection paths s
 
 For a deeper authorization-focused runbook, also see:
 
-- `tests/docs/kms-self-authrization.md`
+- `tests/docs/kms-self-authorization.md`
 
 ---
 
@@ -68,7 +68,7 @@ Recommended references:
 - `docs/tutorials/kms-cvm-deployment.md`
 - `docs/tutorials/troubleshooting-kms-deployment.md`
 - `kms/auth-simple/README.md`
-- `tests/docs/kms-self-authrization.md`
+- `tests/docs/kms-self-authorization.md`
 
 Operational notes:
 
@@ -336,7 +336,7 @@ Expected result:
 
 - trusted runtime RPCs fail after the KMS is no longer authorized
 
-This overlaps with `kms-self-authrization.md`, but is useful as a quick post-deploy sanity check.
+This overlaps with `kms-self-authorization.md`, but is useful as a quick post-deploy sanity check.
 
 ### 7.6 Recommended deny-case checks
 
diff --git a/tests/docs/kms-self-authrization.md b/tests/docs/kms-self-authorization.md
similarity index 100%
rename from tests/docs/kms-self-authrization.md
rename to tests/docs/kms-self-authorization.md