+`next-id`: `[lower=<integer>] [,upper=<integer>]` ::
+
+Control the range for the free VMID auto-selection pool.
+
+`lower`=`<integer>` ('default =' `100`);;
+
+Lower, inclusive boundary for free next-id API range.
+
+`upper`=`<integer>` ('default =' `1000000`);;
+
+Upper, exclusive boundary for free next-id API range.
+
+`registered-tags`: `<tag>[;<tag>...]` ::
+
+A list of tags that require a `Sys.Modify` on '/' to set and delete. Tags set here that are also in 'user-tag-access' also require `Sys.Modify`.
+
+`tag-style`: `[case-sensitive=<1|0>] [,color-map=<tag>:<hex-color>[:<hex-color-for-text>][;<tag>=...]] [,ordering=<config|alphabetical>] [,shape=<enum>]` ::
+
+Tag style options.
+
+`case-sensitive`=`<boolean>` ('default =' `0`);;
+
+Controls if filtering for unique tags on update should check case-sensitive.
+
+`color-map`=`<tag>:<hex-color>[:<hex-color-for-text>][;<tag>=...]` ;;
+
+Manual color mapping for tags (semicolon separated).
+
+`ordering`=`<alphabetical | config>` ('default =' `alphabetical`);;
+
+Controls the sorting of the tags in the web-interface and the API update.
+
+`shape`=`<circle | dense | full | none>` ('default =' `circle`);;
+
+Tag shape for the web ui tree. 'full' draws the full tag. 'circle' draws only a circle with the background color. 'dense' only draws a small rectancle (useful when many tags are assigned to each guest).'none' disables showing the tags.
+
+`u2f`: `[appid=<APPID>] [,origin=<URL>]` ::
+
+u2f
+
+`appid`=`<APPID>` ;;
+
+U2F AppId URL override. Defaults to the origin.
+
+`origin`=`<URL>` ;;
+
+U2F Origin override. Mostly useful for single nodes with a single URL.
+
+`user-tag-access`: `[user-allow=<enum>] [,user-allow-list=<tag>[;<tag>...]]` ::
+
+Privilege options for user-settable tags
+
+`user-allow`=`<existing | free | list | none>` ('default =' `free`);;
+
+Controls which tags can be set or deleted on resources a user controls (such as guests). Users with the `Sys.Modify` privilege on `/` are always unrestricted. 'none' no tags are usable. 'list' tags from 'user-allow-list' are usable. 'existing' like list, but already existing tags of resources are also usable.'free' no tag restrictions.
+
+`user-allow-list`=`<tag>[;<tag>...]` ;;
+
+List of tags users are allowed to set and delete (semicolon separated) for 'user-allow' values 'list' and 'existing'.
+
+`webauthn`: `[allow-subdomains=<1|0>] [,id=<DOMAINNAME>] [,origin=<URL>] [,rp=<RELYING_PARTY>]` ::
+
+webauthn configuration
+
+`allow-subdomains`=`<boolean>` ('default =' `1`);;
+
+Whether to allow the origin to be a subdomain, rather than the exact URL.
+
+`id`=`<DOMAINNAME>` ;;
+
+Relying party ID. Must be the domain name without protocol, port or location. Changing this *will* break existing credentials.
+
+`origin`=`<URL>` ;;
+
+Site origin. Must be a `https://` URL (or `http://localhost`). Should contain the address users type in their browsers to access the web interface. Changing this *may* break existing credentials.
+
+`rp`=`<RELYING_PARTY>` ;;
+
+Relying party name. Any text identifier. Changing this *may* break existing credentials.
+