diff --git a/docs/csaf_provider.md b/docs/csaf_provider.md
index 74c0587..6e63741 100644
--- a/docs/csaf_provider.md
+++ b/docs/csaf_provider.md
@@ -1,8 +1,27 @@
-`csaf_provider` implements the CGI interface for webservers
+`csaf_provider` implements a CGI interface for webservers
 and reads its configuration from a [TOML](https://toml.io/en/) file.
 The [setup docs](../README.md#setup-trusted-provider)
 explain how to wire this up with nginx and where the config file lives.
 
+When installed, two entpoints are offered,
+and you should use the [csaf_uploader](../docs/csaf_uploader)
+to access them:
+
+### /api/create
+
+Must be called once after all configuration values are set.
+It will write the `provider-metadata.json` and may write
+or update the`security.txt`.
+
+Once the files exist, they will **not** be overwriten
+by additional `create` calls, even if the config values have been changed.
+Changes should happen rarely and can be done manually.
+
+
+### /api/upload
+Called for each upload of a document and will update
+the CSAF structure in the file system accordingly.
+
 
 ## Provider options
 
diff --git a/docs/csaf_uploader.md b/docs/csaf_uploader.md
index c977055..9998351 100644
--- a/docs/csaf_uploader.md
+++ b/docs/csaf_uploader.md
@@ -28,6 +28,9 @@ Help Options:
   -h, --help                                Show this help message
 ```
 E.g. creating the initial directories and files.
+This must only be done once, as subsequent `create` calls to the
+[csaf_provider](../docs/csaf_provider.md)
+may not lead to the desired result.
 
 ```bash
 ./csaf_uploader -a create  -u https://localhost/cgi-bin/csaf_provider.go