diff --git a/doc/source/configuration/configuration.rst b/doc/source/configuration/configuration.rst
index 3327fb22..0398878a 100644
--- a/doc/source/configuration/configuration.rst
+++ b/doc/source/configuration/configuration.rst
@@ -40,9 +40,11 @@ Central Plugin.
    * - ``admin_username`` = ``None``
      - (String) username of admin account, needed when auto_refresh_endpoint set to True.
    * - ``auth_url`` = ``http://127.0.0.1/identity``
-     - (String) keystone authorization url, for example, http://$service_host/identity
+     - (String) keystone authorization url, it's basically the internal or public endpoint of keystone, depends on how
+       the common.client module can reach keystone, for example, http://$service_host/identity
    * - ``identity_url`` = ``http://127.0.0.1/identity/v3``
-     - (String) keystone service url, for example, http://$service_host/identity/v3
+     - [Deprecated] (String) keystone service url, for example, http://$service_host/identity/v3 (this option is not
+       used in code since Pike release, you can simply ignore this option)
    * - ``auto_refresh_endpoint`` = ``True``
      - (Boolean) if set to True, endpoint will be automatically refreshed if timeout accessing endpoint.
    * - ``bridge_cidr`` = ``100.0.0.0/9``
diff --git a/doc/source/install/installation-manual.rst b/doc/source/install/installation-manual.rst
index f1e4b107..f37da3cd 100644
--- a/doc/source/install/installation-manual.rst
+++ b/doc/source/install/installation-manual.rst
@@ -91,6 +91,15 @@ Installation with Central Neutron Server
    Oslo library if you need further configuration of these modules. Change
    keystone_service_host to the address of Keystone service.
 
+.. note:: It's worth explaining the following options that can easily make users confused. **keystone_authtoken.auth_url**
+   is the keystone endpoint url used by services to validate user tokens. **keystone_authtoken.auth_uri** will be put in
+   the "WWW-Authenticate: Keystone uri=%s" header in the 401 response to tell users where they can get authentication.
+   These two URLs can be the same, but sometimes people would like to use an internal URL for auth_url and a public URL
+   for auth_uri. **client.auth_url** is used by the common.client module to construct a client to get authentication and
+   access other services, it can be the either internal or public endpoint of keystone, depends on how the module can
+   reach keystone. **client.identity_url** is no longer used in code since Pike release so you can simply ignore it, we
+   will deprecate and remove this option later.
+
 - 5 Create the Tricircle database(take mysql as an example)::
 
     mysql -uroot -p -e "create database tricircle character set utf8;"