diff --git a/cmd/app.go b/cmd/app.go
index 7b8ffd84..af5d8b81 100644
--- a/cmd/app.go
+++ b/cmd/app.go
@@ -14,6 +14,11 @@ var (
 	defaultClientUserConfigFile = "~/.config/ntfy/client.yml"
 )
 
+const (
+	categoryClient = "Client-side commands"
+	categoryServer = "Server-side commands"
+)
+
 // New creates a new CLI application
 func New() *cli.App {
 	return &cli.App{
@@ -29,10 +34,13 @@ func New() *cli.App {
 		Before:                 initConfigFileInputSource("config", flagsServe), // DEPRECATED, see deprecation notice
 		Flags:                  flagsServe,                                      // DEPRECATED, see deprecation notice
 		Commands: []*cli.Command{
+			// Server commands
 			cmdServe,
+			cmdUser,
+
+			// Client commands
 			cmdPublish,
 			cmdSubscribe,
-			cmdUser,
 		},
 	}
 }
diff --git a/cmd/publish.go b/cmd/publish.go
index 89e2ca90..b22ddbd6 100644
--- a/cmd/publish.go
+++ b/cmd/publish.go
@@ -17,6 +17,7 @@ var cmdPublish = &cli.Command{
 	Usage:     "Send message via a ntfy server",
 	UsageText: "ntfy send [OPTIONS..] TOPIC [MESSAGE]",
 	Action:    execPublish,
+	Category:  categoryClient,
 	Flags: []cli.Flag{
 		&cli.StringFlag{Name: "config", Aliases: []string{"c"}, Usage: "client config file"},
 		&cli.StringFlag{Name: "title", Aliases: []string{"t"}, Usage: "message title"},
diff --git a/cmd/serve.go b/cmd/serve.go
index 670da409..67c56eb4 100644
--- a/cmd/serve.go
+++ b/cmd/serve.go
@@ -25,7 +25,7 @@ var flagsServe = []cli.Flag{
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "cache-file", Aliases: []string{"C"}, EnvVars: []string{"NTFY_CACHE_FILE"}, Usage: "cache file used for message caching"}),
 	altsrc.NewDurationFlag(&cli.DurationFlag{Name: "cache-duration", Aliases: []string{"b"}, EnvVars: []string{"NTFY_CACHE_DURATION"}, Value: server.DefaultCacheDuration, Usage: "buffer messages for this time to allow `since` requests"}),
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "auth-file", Aliases: []string{"H"}, EnvVars: []string{"NTFY_AUTH_FILE"}, Usage: "auth database file used for access control"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "auth-default-permissions", Aliases: []string{"p"}, EnvVars: []string{"NTFY_AUTH_DEFAULT_PERMISSIONS"}, Value: "read-write", Usage: "default permissions if no matching entries in the auth database are found"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "auth-default-access", Aliases: []string{"p"}, EnvVars: []string{"NTFY_AUTH_DEFAULT_ACCESS"}, Value: "read-write", Usage: "default permissions if no matching entries in the auth database are found"}),
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "attachment-cache-dir", EnvVars: []string{"NTFY_ATTACHMENT_CACHE_DIR"}, Usage: "cache directory for attached files"}),
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "attachment-total-size-limit", Aliases: []string{"A"}, EnvVars: []string{"NTFY_ATTACHMENT_TOTAL_SIZE_LIMIT"}, DefaultText: "5G", Usage: "limit of the on-disk attachment cache"}),
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "attachment-file-size-limit", Aliases: []string{"Y"}, EnvVars: []string{"NTFY_ATTACHMENT_FILE_SIZE_LIMIT"}, DefaultText: "15M", Usage: "per-file attachment size limit (e.g. 300k, 2M, 100M)"}),
@@ -55,6 +55,7 @@ var cmdServe = &cli.Command{
 	Usage:     "Run the ntfy server",
 	UsageText: "ntfy serve [OPTIONS..]",
 	Action:    execServe,
+	Category:  categoryServer,
 	Flags:     flagsServe,
 	Before:    initConfigFileInputSource("config", flagsServe),
 	Description: `Run the ntfy server and listen for incoming requests
@@ -83,7 +84,7 @@ func execServe(c *cli.Context) error {
 	cacheFile := c.String("cache-file")
 	cacheDuration := c.Duration("cache-duration")
 	authFile := c.String("auth-file")
-	authDefaultPermissions := c.String("auth-default-permissions")
+	authDefaultAccess := c.String("auth-default-access")
 	attachmentCacheDir := c.String("attachment-cache-dir")
 	attachmentTotalSizeLimitStr := c.String("attachment-total-size-limit")
 	attachmentFileSizeLimitStr := c.String("attachment-file-size-limit")
@@ -130,13 +131,13 @@ func execServe(c *cli.Context) error {
 		return errors.New("if attachment-cache-dir is set, base-url must also be set")
 	} else if baseURL != "" && !strings.HasPrefix(baseURL, "http://") && !strings.HasPrefix(baseURL, "https://") {
 		return errors.New("if set, base-url must start with http:// or https://")
-	} else if !util.InStringList([]string{"read-write", "read-only", "deny-all"}, authDefaultPermissions) {
-		return errors.New("if set, auth-default-permissions must start set to 'read-write', 'read-only' or 'deny-all'")
+	} else if !util.InStringList([]string{"read-write", "read-only", "deny-all"}, authDefaultAccess) {
+		return errors.New("if set, auth-default-access must start set to 'read-write', 'read-only' or 'deny-all'")
 	}
 
 	// Default auth permissions
-	authDefaultRead := authDefaultPermissions == "read-write" || authDefaultPermissions == "read-only"
-	authDefaultWrite := authDefaultPermissions == "read-write"
+	authDefaultRead := authDefaultAccess == "read-write" || authDefaultAccess == "read-only"
+	authDefaultWrite := authDefaultAccess == "read-write"
 
 	// Special case: Unset default
 	if listenHTTP == "-" {
diff --git a/cmd/subscribe.go b/cmd/subscribe.go
index 17498030..b5a56933 100644
--- a/cmd/subscribe.go
+++ b/cmd/subscribe.go
@@ -19,6 +19,7 @@ var cmdSubscribe = &cli.Command{
 	Usage:     "Subscribe to one or more topics on a ntfy server",
 	UsageText: "ntfy subscribe [OPTIONS..] [TOPIC]",
 	Action:    execSubscribe,
+	Category:  categoryClient,
 	Flags: []cli.Flag{
 		&cli.StringFlag{Name: "config", Aliases: []string{"c"}, Usage: "client config file"},
 		&cli.StringFlag{Name: "since", Aliases: []string{"s"}, Usage: "return events since `SINCE` (Unix timestamp, or all)"},
diff --git a/cmd/user.go b/cmd/user.go
index 40f83aec..07f21b46 100644
--- a/cmd/user.go
+++ b/cmd/user.go
@@ -32,7 +32,7 @@ dabbling for CLI
 var flagsUser = []cli.Flag{
 	&cli.StringFlag{Name: "config", Aliases: []string{"c"}, EnvVars: []string{"NTFY_CONFIG_FILE"}, Value: "/etc/ntfy/server.yml", DefaultText: "/etc/ntfy/server.yml", Usage: "config file"},
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "auth-file", Aliases: []string{"H"}, EnvVars: []string{"NTFY_AUTH_FILE"}, Usage: "auth database file used for access control"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "auth-default-permissions", Aliases: []string{"p"}, EnvVars: []string{"NTFY_AUTH_DEFAULT_PERMISSIONS"}, Value: "read-write", Usage: "default permissions if no matching entries in the auth database are found"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "auth-default-access", Aliases: []string{"p"}, EnvVars: []string{"NTFY_AUTH_DEFAULT_ACCESS"}, Value: "read-write", Usage: "default permissions if no matching entries in the auth database are found"}),
 }
 
 var cmdUser = &cli.Command{
@@ -41,6 +41,7 @@ var cmdUser = &cli.Command{
 	UsageText: "ntfy user [add|del|...] ...",
 	Flags:     flagsUser,
 	Before:    initConfigFileInputSource("config", flagsUser),
+	Category:  categoryServer,
 	Subcommands: []*cli.Command{
 		{
 			Name:    "add",
@@ -127,16 +128,16 @@ func execUserChangePass(c *cli.Context) error {
 
 func createAuthManager(c *cli.Context) (auth.Manager, error) {
 	authFile := c.String("auth-file")
-	authDefaultPermissions := c.String("auth-default-permissions")
+	authDefaultAccess := c.String("auth-default-access")
 	if authFile == "" {
 		return nil, errors.New("option auth-file not set; auth is unconfigured for this server")
 	} else if !util.FileExists(authFile) {
 		return nil, errors.New("auth-file does not exist; please start the server at least once to create it")
-	} else if !util.InStringList([]string{"read-write", "read-only", "deny-all"}, authDefaultPermissions) {
-		return nil, errors.New("if set, auth-default-permissions must start set to 'read-write', 'read-only' or 'deny-all'")
+	} else if !util.InStringList([]string{"read-write", "read-only", "deny-all"}, authDefaultAccess) {
+		return nil, errors.New("if set, auth-default-access must start set to 'read-write', 'read-only' or 'deny-all'")
 	}
-	authDefaultRead := authDefaultPermissions == "read-write" || authDefaultPermissions == "read-only"
-	authDefaultWrite := authDefaultPermissions == "read-write"
+	authDefaultRead := authDefaultAccess == "read-write" || authDefaultAccess == "read-only"
+	authDefaultWrite := authDefaultAccess == "read-write"
 	return auth.NewSQLiteAuth(authFile, authDefaultRead, authDefaultWrite)
 }