diff --git a/infrastructure_files/setup.env.example b/infrastructure_files/setup.env.example
index 391a34b3e..8d8a33c75 100644
--- a/infrastructure_files/setup.env.example
+++ b/infrastructure_files/setup.env.example
@@ -15,19 +15,6 @@ NETBIRD_AUTH_CLIENT_ID=""
 # NETBIRD_AUTH_USER_ID_CLAIM=""
 # indicates whether to use Auth0 or not: true or false
 NETBIRD_USE_AUTH0="false"
-NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
-NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
-# Some IDPs requires different audience, scopes and to use id token for device authorization flow
-# you can customize here:
-NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
-NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
-NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
-eg. zitadel, auth0, azure, keycloak
-NETBIRD_MGMT_IDP="none"
-# Some IDPs requires different client id and client secret for management api
-NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
-NETBIRD_IDP_MGMT_CLIENT_SECRET=""
-
 # if your IDP provider doesn't support fragmented URIs, configure custom
 # redirect and silent redirect URIs, these will be concatenated into your NETBIRD_DOMAIN domain.
 # NETBIRD_AUTH_REDIRECT_URI="/peers"
@@ -35,7 +22,25 @@ NETBIRD_IDP_MGMT_CLIENT_SECRET=""
 # Updates the preference to use id tokens instead of access token on dashboard
 # Okta and Gitlab IDPs can benefit from this
 # NETBIRD_TOKEN_SOURCE="idToken"
-
+# -------------------------------------------
+# OIDC Device Authorization Flow
+# -------------------------------------------
+NETBIRD_AUTH_DEVICE_AUTH_PROVIDER="none"
+NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID=""
+# Some IDPs requires different audience, scopes and to use id token for device authorization flow
+# you can customize here:
+NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE=$NETBIRD_AUTH_AUDIENCE
+NETBIRD_AUTH_DEVICE_AUTH_SCOPE="openid"
+NETBIRD_AUTH_DEVICE_AUTH_USE_ID_TOKEN=false
+# -------------------------------------------
+# IDP Management
+# -------------------------------------------
+# eg. zitadel, auth0, azure, keycloak
+NETBIRD_MGMT_IDP="none"
+# Some IDPs requires different client id and client secret for management api
+NETBIRD_IDP_MGMT_CLIENT_ID=$NETBIRD_AUTH_CLIENT_ID
+NETBIRD_IDP_MGMT_CLIENT_SECRET=""
+# NETBIRD_IDP_MGMT_EXTRA_ variables. See https://docs.netbird.io/selfhosted/identity-providers for more information about your IDP of choice.
 # -------------------------------------------
 # Letsencrypt
 # -------------------------------------------
@@ -44,7 +49,9 @@ NETBIRD_IDP_MGMT_CLIENT_SECRET=""
 NETBIRD_DISABLE_LETSENCRYPT=false
 # e.g. hello@mydomain.com
 NETBIRD_LETSENCRYPT_EMAIL=""
-
+# -------------------------------------------
+# Extra settings
+# -------------------------------------------
 # Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
 NETBIRD_DISABLE_ANONYMOUS_METRICS=false
 # DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted