diff --git a/README.md b/README.md
index b9c7e67a912455abc3ea73912d4bf14b59ca75b7..08c8dfc5bdf7b2e2170267672c457e3b2e6dd2ff 100644
--- a/README.md
+++ b/README.md
@@ -57,13 +57,19 @@ understands the following attributes:
     *remote_addr_header* instead
   * `remote_addr_header`: HTTP header to use to obtain the remote
     client address, when the request comes from a trusted forwarder
-* `http_server` specifies standard parameters for the HTTP server:
-  * `tls` contains the server-side TLS configuration:
-    * `cert` is the path to the server certificate
-    * `key` is the path to the server's private key
-    * `ca` is the path to the CA used to validate clients
-    * `acl` specifies TLS-based access controls, a list of entries
-      with the following attributes:
+* `keystore`: configures the connection to the keystore service
+  * `backend_url`: URL for the keystore service
+  * `tls_config`: client TLS configuration
+    * `cert`: path to the client certificate
+    * `key`: path to the private key
+    * `ca`: path to the CA used to validate the server
+* `http_server`: specifies standard parameters for the HTTP server
+  * `tls`: server-side TLS configuration
+    * `cert`: path to the server certificate
+    * `key`: path to the server's private key
+    * `ca`: path to the CA used to validate clients
+    * `acl`: TLS-based access controls, a list of entries with the
+      following attributes:
       * `path` is a regular expression to match the request URL path
       * `cn` is a regular expression that must match the CommonName
         part of the subject of the client certificate
@@ -78,6 +84,13 @@ accesses. This information is tracked by the
 It is implemented very simply, with a long-term cookie stored in the
 browser.
 
+## Key store
+
+On login, the login server can unlock the user's key store
+(see [keystore](https://git.autistici.org/id/keystore)). The
+associated key will be cleared either on logout, or when the login
+session expires.
+
 
 # API