diff --git a/nfpm/zrok-share.env b/nfpm/zrok-share.env
index 389e819a..7b9efca1 100644
--- a/nfpm/zrok-share.env
+++ b/nfpm/zrok-share.env
@@ -3,9 +3,8 @@
 #
 ## ZROK ENVIRONMENT
 #
-# You MUST enable a zrok environment. You MAY set the environment enable token here, or run
-# /opt/openziti/bin/zrok-enable.bash as root for an interactive prompt to avoid saving the enable token to disk. Obtain
-# the enable token from the zrok console after accepting your invitation and creating a password.
+# You MUST enable a zrok environment by setting the environment enable token here. This file must be readable by
+# 'other'.  Obtain the enable token from the zrok console after accepting your invitation and creating a password.
 #
 # WARNING: changing these values has no effect if /var/lib/zrok-share/.zrok/environment.json exists. Remove that file to
 # enable a new environment and /var/lib/zrok-share/.zrok/reserved.json to provision a new frontend URL for the specified
@@ -18,7 +17,7 @@ ZROK_ENABLE_TOKEN=""
 #
 ZROK_ENVIRONMENT_NAME=""
 
-# set if self-hosting zrok
+# You MUST set this only if self-hosting the zrok controller.
 #ZROK_API_ENDPOINT="https://api.zrok.io"
 
 #
@@ -31,7 +30,7 @@ ZROK_ENVIRONMENT_NAME=""
 #
 # backend-mode "proxy" (default): share a backend web server URL that's reachable by this host; must begin with 'http://' or
 # 'https://'; must accept the HOST header of the proxy frontend. Check out backend mode "caddy" if you need more control.
-ZROK_TARGET=""  # e.g., http://127.0.0.1:3000
+ZROK_TARGET=""                  # e.g., http://127.0.0.1:3000
 ZROK_BACKEND_MODE="proxy"
 # if defined, an https share's backend server certificate will not be verified with backend-mode 'proxy'
 # NOTE: changing this value does not require provisioning a new frontend URL