diff --git a/docs/README.md b/docs/README.md
index 5cf22551ab27d47906e1b1dc121abdc5555f427b..6d81702659b2479e8494eb62a1e9f90c92a6d833 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -1073,7 +1073,7 @@ is that there is no QoS in unsubscribe request.
 
 ## TLS
 
-### mg\_tls\_init()
+### struct mg\_tls\_opts
 
 ```c
 struct mg_tls_opts {
@@ -1083,6 +1083,28 @@ struct mg_tls_opts {
   const char *ciphers;   // Cipher list
   struct mg_str srvname; // If not empty, enables server name verification
 };
+```
+
+TLS initialisation structure:
+- `ca` - Certificate Authority. Can be a filename, or a string. Used to verify
+  a certificate that other end sends to us. If NULL, then certificate checking
+  is disabled
+- `cert` - our own certificate. Can be a filename, or a string. If NULL, then
+  we don't authenticate with the other peer
+- `certkey` - a key for a `cert`. Sometimes, a certificate and its key are
+  bundled in a single .pem file, in which case the values for `cert` and
+  `certkey` could be the same
+- `ciphers` - a list of allowed ciphers
+- `srvname` - enable server name verification
+
+
+NOTE: if both `ca` and `cert` are set, then so-called two-way TLS is enabled,
+when both sides authenticate with each other. Usually, server-side connections
+set both `ca` and `cert`, whilst client-side - only `ca`.
+
+### mg\_tls\_init()
+
+```c
 int mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts);
 ```