diff --git a/docs/access-control.rst b/docs/access-control.rst
index 4a85dbd..89347af 100644
--- a/docs/access-control.rst
+++ b/docs/access-control.rst
@@ -4,6 +4,18 @@ Access Control
 
 Kube Ops View supports protecting the UI via the OAuth Authorization Code Grant flow.
 
+Relevant configuration settings (environment variables) for OAuth are:
+
+``APP_URL``
+    The app's own URL, e.g. https://kube-ops-view.example.org. This is used to construct the OAuth 2 redirect URI (callback URL).
+``AUTHORIZE_URL``
+    OAuth 2 authorization endpoint URL, e.g. https://oauth2.example.org/authorize
+``ACCESS_TOKEN_URL``
+    Token endpoint URL for the OAuth 2 Authorization Code Grant flow, e.g. https://oauth2.example.org/token
+``CREDENTIALS_DIR``
+    Folder path to load client credentials from. The folder needs to contain two files: ``authcode-client-id`` and ``authcode-client-secret``.
+
+
 TODO: how to configure
 
 Screen Tokens