diff --git a/docs/docs/concepts/credentials/openid-connect-oidc-oauth2.mdx b/docs/docs/concepts/credentials/openid-connect-oidc-oauth2.mdx
index 6930561fe9bc..24f417dee86d 100644
--- a/docs/docs/concepts/credentials/openid-connect-oidc-oauth2.mdx
+++ b/docs/docs/concepts/credentials/openid-connect-oidc-oauth2.mdx
@@ -44,70 +44,71 @@ The provider configuration looks as follows:
 selfservice:
   methods:
     oidc:
-      providers:
-        - # REQUIRED - The ID of the provider.
-          # DO NOT change this once this is in use.
-          id: github
-
-          # REQUIRED - The provider you would like to use. ORY Kratos comes with some predefined providers to make
-          # life easier for you, but you can always opt for the "generic" provider, which works
-          # with any Certified OpenID Connect Provider (Google, ORY Hydra, ...):
-          #
-          #   provider: github
-          #   provider: google
-          #   .... more to come
-          #
-          provider: generic
-
-          # REQUIRED - See section "Data Mapping with Jsonnet" for more information.
-          mapper_url: http://mydomain.com/github.schema.json
-
-          # The OAuth2 / OpenID Connect provider will provide you with a OAuth2 Client ID and Client Secret. You need
-          # to set them here:
-          client_id: ...
-          client_secret: ...
-
-          # What scope to request. Usually, this would be something like "profile" or "email".
-          # Please check the documentation of the OAuth2 / OpenID Connect provider to see what's allowed here.
-          scope:
-            - email
-
-          # issuer_url is the OpenID Connect Server URL. You can leave this empty if `provider` is not set to `generic`.
-          # If set, neither `auth_url` nor `token_url` are required.
-          issuer_url: http://openid-connect-provider/
-
-          # auth_url is the authorize url, typically something like: https://example.org/oauth2/auth
-          # Should only be used when the OAuth2 / OpenID Connect server is not supporting OpenID Connect Discovery and when
-          # `provider` is set to `generic`.
-          auth_url: http://openid-connect-provider/oauth2/auth
-
-          # token_url is the token url, typically something like: https://example.org/oauth2/token
-          # Should only be used when the OAuth2 / OpenID Connect server is not supporting OpenID Connect Discovery and when
-          # `provider` is set to `generic`.
-          token_url: http://openid-connect-provider/oauth2/token
-
-          # requested_claims json object that specifies claims and optionally their properties which should
-          # be included in the id_token or returned from the UserInfo Endpoint.
-          #
-          # More information: https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
-          requested_claims:
-            userinfo:
-              given_name:
-                essential: true
-              nickname: null
-              email:
-                essential: true
-              email_verified:
-                essential: true
-              picture: null
-              http://example/info/claims/groups: null
-            id_token:
-              auth_time:
-                essential: true
-              acr:
-                values: ['urn:mace:incommon:iap:silver']
-              sub:
-                value: 248289761001
+      config:
+        providers:
+          - # REQUIRED - The ID of the provider.
+            # DO NOT change this once this is in use.
+            id: github
+
+            # REQUIRED - The provider you would like to use. ORY Kratos comes with some predefined providers to make
+            # life easier for you, but you can always opt for the "generic" provider, which works
+            # with any Certified OpenID Connect Provider (Google, ORY Hydra, ...):
+            #
+            #   provider: github
+            #   provider: google
+            #   .... more to come
+            #
+            provider: generic
+
+            # REQUIRED - See section "Data Mapping with Jsonnet" for more information.
+            mapper_url: http://mydomain.com/github.schema.json
+
+            # The OAuth2 / OpenID Connect provider will provide you with a OAuth2 Client ID and Client Secret. You need
+            # to set them here:
+            client_id: ...
+            client_secret: ...
+
+            # What scope to request. Usually, this would be something like "profile" or "email".
+            # Please check the documentation of the OAuth2 / OpenID Connect provider to see what's allowed here.
+            scope:
+              - email
+
+            # issuer_url is the OpenID Connect Server URL. You can leave this empty if `provider` is not set to `generic`.
+            # If set, neither `auth_url` nor `token_url` are required.
+            issuer_url: http://openid-connect-provider/
+
+            # auth_url is the authorize url, typically something like: https://example.org/oauth2/auth
+            # Should only be used when the OAuth2 / OpenID Connect server is not supporting OpenID Connect Discovery and when
+            # `provider` is set to `generic`.
+            auth_url: http://openid-connect-provider/oauth2/auth
+
+            # token_url is the token url, typically something like: https://example.org/oauth2/token
+            # Should only be used when the OAuth2 / OpenID Connect server is not supporting OpenID Connect Discovery and when
+            # `provider` is set to `generic`.
+            token_url: http://openid-connect-provider/oauth2/token
+
+            # requested_claims json object that specifies claims and optionally their properties which should
+            # be included in the id_token or returned from the UserInfo Endpoint.
+            #
+            # More information: https://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter
+            requested_claims:
+              userinfo:
+                given_name:
+                  essential: true
+                nickname: null
+                email:
+                  essential: true
+                email_verified:
+                  essential: true
+                picture: null
+                http://example/info/claims/groups: null
+              id_token:
+                auth_time:
+                  essential: true
+                acr:
+                  values: ['urn:mace:incommon:iap:silver']
+                sub:
+                  value: 248289761001
 ```
 
 :::info
@@ -144,14 +145,15 @@ referencing that in your ORY Kratos config file:
 selfservice:
   methods:
     oidc:
-      providers:
-        - id: github
-          # ...
-          mapper_url: file://path/to/my/kratos/github.data-mapper.jsonnet
-          # You can also load this from a HTTP(S) source:
-          mapper_url: https://domain.com/path/to/my/kratos/github.data-mapper.jsonnet
-          # Or inline it using base64 encoding:
-          mapper_url: base64://bG9jYWwgY2xhaW1zID0gc3RkLmV4dFZhcignY2xhaW1zJyk7CmlmIHN0ZC5sZW5ndGgoY2xhaW1zLnN1YikgPT0gMCB0aGVuCiAgZXJyb3IgJ2NsYWltIHN1YiBub3Qgc2V0JwplbHNlCiAgewogICAgaWRlbnRpdHk6IHsKICAgICAgdHJhaXRzOiB7CiAgICAgICAgZW1haWw6IGNsYWltcy5zdWIsCiAgICAgICAgW2lmICJ3ZWJzaXRlIiBpbiBjbGFpbXMgdGhlbiAid2Vic2l0ZSIgZWxzZSBudWxsXTogY2xhaW1zLndlYnNpdGUsCiAgICAgIH0sCiAgICB9LAogIH0=
+      config:
+        providers:
+          - id: github
+            # ...
+            mapper_url: file://path/to/my/kratos/github.data-mapper.jsonnet
+            # You can also load this from a HTTP(S) source:
+            mapper_url: https://domain.com/path/to/my/kratos/github.data-mapper.jsonnet
+            # Or inline it using base64 encoding:
+            mapper_url: base64://bG9jYWwgY2xhaW1zID0gc3RkLmV4dFZhcignY2xhaW1zJyk7CmlmIHN0ZC5sZW5ndGgoY2xhaW1zLnN1YikgPT0gMCB0aGVuCiAgZXJyb3IgJ2NsYWltIHN1YiBub3Qgc2V0JwplbHNlCiAgewogICAgaWRlbnRpdHk6IHsKICAgICAgdHJhaXRzOiB7CiAgICAgICAgZW1haWw6IGNsYWltcy5zdWIsCiAgICAgICAgW2lmICJ3ZWJzaXRlIiBpbiBjbGFpbXMgdGhlbiAid2Vic2l0ZSIgZWxzZSBudWxsXTogY2xhaW1zLndlYnNpdGUsCiAgICAgIH0sCiAgICB9LAogIH0=
 ```
 
 ORY Kratos adds an external variable called `claims` to the data mapper. It