diff --git a/docs/changelog.rst b/docs/changelog.rst
index 66d46bce..feba9390 100644
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -4,6 +4,15 @@
 Changelog
 =========
 
+.. _v1_0_a22:
+
+1.0a22 (2025-11-13)
+-------------------
+
+- ``datasette serve --default-deny`` option for running Datasette configured to  :ref:`deny all permissions by default <authentication_default_deny>`. (:issue:`2592`)
+- ``datasette.is_client()`` method for detecting if code is :ref:`executing inside a datasette.client request <internals_datasette_is_client>`. (:issue:`2594`)
+- ``datasette.pm`` property can now be used to :ref:`register and unregister plugins in tests <testing_plugins_register_in_test>`. (:issue:`2595`)
+
 .. _v1_0_a21:
 
 1.0a21 (2025-11-05)
diff --git a/docs/internals.rst b/docs/internals.rst
index 09d45c90..cfd78593 100644
--- a/docs/internals.rst
+++ b/docs/internals.rst
@@ -1077,6 +1077,8 @@ This parameter works with all HTTP methods (``get``, ``post``, ``put``, ``patch`
 
     Use ``skip_permission_checks=True`` with caution. It completely bypasses Datasette's permission system and should only be used in trusted plugin code or internal operations where you need guaranteed access to resources.
 
+.. _internals_datasette_is_client:
+
 Detecting internal client requests
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~