diff --git a/keyserve/doc.go b/keyserve/doc.go
index 41b2827..4a25a5b 100644
--- a/keyserve/doc.go
+++ b/keyserve/doc.go
@@ -5,7 +5,7 @@ via OIDC-style (https://example.com/.well-known/openid-configuration)
 and Auth0-style (https://example.com/.well-known/jwks.json)
 URLs. It uses the keypairs package to encode to JWK format.
 
-Basic usage:
+Basic Usage
 
 	import (
 		"crypto/ecdsa"
@@ -19,12 +19,16 @@ Basic usage:
 	pub := key.Public()
 
 	handlers := &keyserve.Middleware{
+
 		// the self-reference used for building the openid-configuration url
 		BaseURL: "https://example.com/",
+
 		// public keys used to verify token signatures
 		Keys: []keypairs.PublicKey{ keypairs.NewPublicKey(pub) }
+
 		// how long clients should cache your public key
 		ExpiresIn: 72 * time.Hour
+
 	}
 
 You can then use the handlers anywhere http.HandleFunc is allowed:
diff --git a/keyserve/keyserve.go b/keyserve/keyserve.go
index d00cac7..aa5bcdc 100644
--- a/keyserve/keyserve.go
+++ b/keyserve/keyserve.go
@@ -84,7 +84,7 @@ func (m *Middleware) Handler(w http.ResponseWriter, r *http.Request) bool {
 // others to receive a cached version of the malicious response rather than
 // hitting the server and getting the correct response. Unlikely that that's
 // you (and if it is you have much bigger problems), but I feel the need to
-// warn you all the same.
+// warn you all the same - so just be sure to specify BaseURL.
 func (m *Middleware) WellKnownOIDC(w http.ResponseWriter, r *http.Request) {
 	var baseURL url.URL