diff --git a/deploy/examples/metacrypt-docker.toml b/deploy/examples/metacrypt-docker.toml
index 68c2eaf..699e4a1 100644
--- a/deploy/examples/metacrypt-docker.toml
+++ b/deploy/examples/metacrypt-docker.toml
@@ -3,9 +3,16 @@
 
 [server]
 listen_addr = ":8443"
+grpc_addr   = ":9443"
 tls_cert = "/srv/metacrypt/certs/server.crt"
 tls_key  = "/srv/metacrypt/certs/server.key"
 
+[web]
+# metacrypt-web connects to the vault container by its compose service name.
+listen_addr   = ":8080"
+vault_grpc    = "metacrypt:9443"
+vault_ca_cert = "/srv/metacrypt/certs/server.crt"
+
 [database]
 path = "/srv/metacrypt/metacrypt.db"
 
diff --git a/deploy/examples/metacrypt.toml b/deploy/examples/metacrypt.toml
index 86ae8b4..46d6178 100644
--- a/deploy/examples/metacrypt.toml
+++ b/deploy/examples/metacrypt.toml
@@ -5,10 +5,33 @@
 # Address to listen on. Use "0.0.0.0:8443" to listen on all interfaces.
 listen_addr = ":8443"
 
+# gRPC address for metacrypt-web to connect to. Required if running the
+# standalone web UI server.
+grpc_addr = ":9443"
+
 # TLS certificate and key. Metacrypt always terminates TLS.
 tls_cert = "/srv/metacrypt/certs/server.crt"
 tls_key  = "/srv/metacrypt/certs/server.key"
 
+# Public base URL used in ACME directory responses.
+# external_url = "https://metacrypt.example.com"
+
+[web]
+# Address for the standalone web UI server (metacrypt-web) to listen on.
+listen_addr = ":8080"
+
+# gRPC address of the vault (must match server.grpc_addr above).
+vault_grpc = "127.0.0.1:9443"
+
+# CA certificate used to verify the vault's gRPC TLS certificate.
+# Required if the vault uses a self-signed or private CA cert.
+vault_ca_cert = "/srv/metacrypt/certs/server.crt"
+
+# TLS for the web UI itself. Leave empty to run plain HTTP behind a
+# reverse proxy, or set both to terminate TLS directly.
+# tls_cert = "/srv/metacrypt/certs/web.crt"
+# tls_key  = "/srv/metacrypt/certs/web.key"
+
 [database]
 # SQLite database path. Created automatically on first run.
 # The directory must be writable by the metacrypt user.