diff --git a/README.md b/README.md
index b254bbc..e27b38e 100644
--- a/README.md
+++ b/README.md
@@ -90,7 +90,7 @@ succeed, using other NRICs will result in an error. See the list of personas in
| Configuration item | Explanation |
|---|---|
-| Client certificate | **Overview:** When client makes any request, what certificate is used to verify the request signature, and what certificate is used to encrypt the data payload.
**Default:** static certificate/key `static/certs/(server.crt|key.pub)` are used.
**How to configure:** Set the env var `SERVICE_PROVIDER_PUB_KEY` to the path to a public key PEM file, and `SERVICE_PROVIDER_CERT_PATH` to the path to a certificate PEM file. (A certificate PEM file can also be provided to `SERVICE_PROVIDER_PUB_KEY`, despite the env var name.) |
+| Client certificate | **Overview:** When client makes any request, what certificate is used to verify the request signature, and what certificate is used to encrypt the data payload.
**Default:** static certificate/key `static/certs/(server.crt\|key.pub)` are used.
**How to configure:** Set the env var `SERVICE_PROVIDER_PUB_KEY` to the path to a public key PEM file, and `SERVICE_PROVIDER_CERT_PATH` to the path to a certificate PEM file. (A certificate PEM file can also be provided to `SERVICE_PROVIDER_PUB_KEY`, despite the env var name.) |
| Client secret | **Overview:** When client makes a Token request, whether MockPass verifies the request signature.
**Default:** Disabled.
**How to configure:** Enable for all requests by setting the env var `SERVICE_PROVIDER_MYINFO_SECRET` to some non-blank string. Provide this value to your application as well. |
| Payload encryption | **Overview:** When client makes a Person or Person-Basic request, whether MockPass encrypts the data payload. When client makes a Person request, whether MockPass verifies the request signature.
**Default:** Disabled.
**How to configure:** Enable for all requests by setting the env var `ENCRYPT_MYINFO` to `true`. |