diff --git a/README.md b/README.md
index 9a42b1a..5d2f35d 100644
--- a/README.md
+++ b/README.md
@@ -131,7 +131,7 @@ Application Options:
   --url-path=                                           Callback URL Path (default: /_oauth) [$URL_PATH]
   --secret=                                             Secret used for signing (required) [$SECRET]
   --whitelist=                                          Only allow given email addresses, can be set multiple times [$WHITELIST]
-  --rules.<name>.<param>=                               Rule definitions, param can be: "action" or "rule"
+  --rule.<name>.<param>=                               Rule definitions, param can be: "action" or "rule"
 
 Google Provider:
   --providers.google.client-id=                         Client ID [$PROVIDERS_GOOGLE_CLIENT_ID]
@@ -244,7 +244,7 @@ All options can be supplied in any of the following ways, in the following prece
 
    For more details, please also read [User Restriction](#user-restriction) in the concepts section.
 
-- `rules`
+- `rule`
 
    Specify selective authentication rules. Rules are specified in the following format: `rule.<name>.<param>=<value>`
 
diff --git a/internal/config.go b/internal/config.go
index 5ea19a6..0b745ac 100644
--- a/internal/config.go
+++ b/internal/config.go
@@ -38,7 +38,7 @@ type Config struct {
 	Whitelist      CommaSeparatedList   `long:"whitelist" env:"WHITELIST" description:"Only allow given email addresses, can be set multiple times"`
 
 	Providers provider.Providers `group:"providers" namespace:"providers" env-namespace:"PROVIDERS"`
-	Rules     map[string]*Rule   `long:"rules.<name>.<param>" description:"Rule definitions, param can be: \"action\" or \"rule\""`
+	Rules     map[string]*Rule   `long:"rule.<name>.<param>" description:"Rule definitions, param can be: \"action\" or \"rule\""`
 
 	// Filled during transformations
 	Secret   []byte `json:"-"`