diff --git a/docs/pages/deployment/recommended-deployment.rst b/docs/pages/deployment/recommended-deployment.rst
index 678bb314f..73473118f 100644
--- a/docs/pages/deployment/recommended-deployment.rst
+++ b/docs/pages/deployment/recommended-deployment.rst
@@ -58,7 +58,8 @@ These HTTP endpoints are available on ``:8080``.
 
    *Security*: HTTPS with **publicly trusted** server certificate (on proxy).
 
-* **/oauth2**: for accessing OAuth2 and OpenID services.
+* **/oauth2**: for accessing OAuth2 and OpenID services. ``/callback`` and ``/authorize`` are disabled by default on the Nuts node. They can be enabled by setting ``auth.authorizationendpoint.enabled`` to ``true``.
+   Use this only for experimental OpenID4VCI and OpenID4VP use cases.
 
    *Users*: Verifiable Credential issuers and verifiers, OAuth2 client applications (e.g. other Nuts nodes, resource viewers)
 
@@ -76,6 +77,15 @@ These HTTP endpoints are available on ``:8080``.
 
    *Security*: HTTPS with **publicly trusted** server certificate (on proxy).
 
+Optional Public Endpoints
+-------------------------
+
+* **/discovery**: for discovering server endpoints. Forward if your node is acting as a discovery service server.
+
+   *Users*: Other Nuts nodes.
+
+   *Security*: HTTPS with **publicly trusted** server certificate (on proxy).
+
 Internal Endpoints
 ------------------
 This section describes HTTP endpoints that must only be reachable by your own applications integrating with the Nuts node.