pomerium
diff --git a/‎content/docs/capabilities/getting-users-identity.mdx
+2-2 b/‎content/docs/capabilities/getting-users-identity.mdx
+2-2
diff --git a/‎content/docs/deploy/cloud/_category_.json
+3 b/‎content/docs/deploy/cloud/_category_.json
+3
diff --git a/‎content/docs/deploy/core.mdx
+28-4 b/‎content/docs/deploy/core.mdx
+28-4
@@ -1,9 +1,9 @@
 ---
 # cSpell:ignore ecparam genkey noout pubout secp256r1 QCN7adG2AmIK3UdHJvVJkldsUc6XeBRz83Z4rXX8Va4 ary66nrvA55TpaiWADq8b3O1CYIbvjqIHpXCY envoyproxy Jklds Tpai Ibvjq Lamda
 
-title: Continious Identity Verification at the Application Layer
+title: Continuous Identity Verification at the Application Layer
 description: Learn how Pomerium uses JWTs for identity and context verification, how it fits into a zero trust environment, and four ways to validate the JWT in your upstream service.
-sidebar_label: Continious Identity Verification
+sidebar_label: Continuous Identity Verification
 keywords:
   - jwt
   - jwt authentication
 
@@ -0,0 +1,3 @@
+{
+  "label": "Cloud"
+}
@@ -102,8 +102,17 @@ We also provide container images on [Docker Hub](https://hub.docker.com/r/pomeri
 Example usage:
 
 ```bash
+# config.yaml is your Pomerium configuration.
+# See https://www.pomerium.com/docs/deploy/core#configuration
+#
+# Note: The external port (8443) can be changed without affecting your route configuration
+# as long as your routes don't specify explicit ports. See
+# https://pomerium.com/docs/reference/routes/from#port-matching-behavior for more information
 docker pull pomerium/pomerium:latest
-docker run --rm -it -p 443:443 pomerium/pomerium:latest --version
+docker run --rm -it \
+  -p 8443:443 \
+  -v $(pwd)/config.yaml:/pomerium/config.yaml \
+  pomerium/pomerium:latest
 ```
 
 If you plan to run on port 443 in a rootless environment, you may need extra [capabilities](https://linux-audit.com/linux-capabilities-hardening-linux-binaries-by-removing-setuid/) or choose a non-privileged port.
@@ -140,11 +149,26 @@ Pomerium is configured via [configuration variables](/docs/reference) (environme
 
 ```yaml title="config.yaml"
 # Minimal example route
+#
+# Generate a shared secret by running head -c32 /dev/urandom | base64
+# More on shared secrets at https://www.pomerium.com/docs/reference/shared-secret
 shared_secret: REPLACE_ME
+
+# Generate a cookie secret by running head -c32 /dev/urandom | base64
+# More on cookie secrets at https://www.pomerium.com/docs/reference/cookies#cookie-secret
 cookie_secret: REPLACE_ME
-idp_provider: google
-idp_client_id: REPLACE_ME
-idp_client_secret: REPLACE_ME
+
+# If the Authenticate Service URL is not set, the Pomerium Hosted Authenticate Service will be used.
+# See https://www.pomerium.com/docs/reference/service-urls#authenticate-service-url
+#
+# authenticate_service_url: REPLACE_ME
+#
+# For more information on identity provider settings, see https://pomerium.com/docs/reference/identity-provider-settings
+#
+# idp_provider: REPLACE_ME
+# idp_client_id: REPLACE_ME
+# idp_client_secret: REPLACE_ME
+
 address: :443
 
 routes: