1 files changed, 7 insertions, 6 deletions

diff --git a/taler-merchant-manual.rst b/taler-merchant-manual.rst
index 6782c7ef..f8e2eb30 100644
--- a/taler-merchant-manual.rst
+++ b/taler-merchant-manual.rst
@@ -778,16 +778,17 @@ If everything worked as expected, the command
 
 .. code-block:: console
 
-   $ curl http://localhost:8888/
+   $ curl http://localhost:8888/config
 
-should return the message
+should return some basic configuration status data about the service.
 
-.. code-block:: none
+Please note that your backend is right now likely globally reachable.  You can either:
 
-   Hello, I'm a merchant's Taler backend. This HTTP server is not for humans.
+  * Use the ``--auth=$TOKEN`` command-line option to set an access token to be provided in an ``Authorize: Bearer $TOKEN`` HTTP header. Note that this can be used at anytime to override access control, but remains only in effect until a first instance is created or an existing instance authentication setting is modified.
+  * Set the ``TALER_MERCHANT_TOKEN`` environment variable to ``$TOKEN`` for the same effect. This method has the advantage of ``$TOKEN`` not being visible as a command-line interface to other local users on the same machine.
+  * Set up an instance with an authentication token before some unauthorized person has a chance to access the backend.  As the backend is useless without any instance and the chances of remote attackers during the initial configuration is low, this is probably sufficient for most use-cases. Still, keep the first two scenarios in mind in case you ever forget your access token!
 
-Please note that your backend is right now likely globally reachable.
-Production systems should be configured to bind to a UNIX domain socket
+Production systems should additionally be configured to bind to a UNIX domain socket
 and use TLS for improved network privacy, see :ref:`Secure setup <Secure-setup>`.