Move Authentication section directly below Using PADD as it impacts both usage scenarios

README.md

@@ -30,6 +30,15 @@ PADD (formerly Chronometer2) is a more expansive version of the original chronom
 
 ## Using PADD
 
+### Authentication
+
+Pi-hole v6 uses a completely new API with a new authentication mechanism
+
+If you run PADD on the same machine as Pi-hole, it's possible to bypass authentication when your local user is member of the `pihole` group (specifically, if you can access `/etc/pihole/cli_pw).
+For details see [https://github.com/pi-hole/FTL/pull/1999](https://github.com/pi-hole/FTL/pull/1999)
+
+If this is not the case, PADD will ask you for your password (`--secret <password>`) and (if configured) your two factor authentication token (`--2fa <2fa>`).
+
 ### PADD on Pi-hole machine
 
 - Just run
@@ -42,29 +51,14 @@ PADD (formerly Chronometer2) is a more expansive version of the original chronom
 
 With PADD v4.0.0 and Pi-hole v6 it is also possible to run PADD from a machine that is not running Pi-hole
 
-  ```bash
-  ./padd.sh --server <DOMAIN|IP>
-  ```
-
-### Authentication
-
-Pi-hole v6 uses a completely new API with a new authentication mechanism
-
-If you run PADD on the same machine as Pi-hole, it's possible to bypass authentication when your local user is member of the `pihole` group (specifically, if you can access `/etc/pihole/cli_pw).
-For details see [https://github.com/pi-hole/FTL/pull/1999](https://github.com/pi-hole/FTL/pull/1999)
-
-If this is not the case, PADD will ask you for your password and (if configured) your two factor authentication token. You can also pass those as arguments
-
 - password only
-
   ```bash
-  ./padd.sh --secret <password>
+  ./padd.sh --server <DOMAIN|IP> --secret <password>
   ```
-
 - with 2FA enabled
 
   ```bash
-  ./padd.sh --secret <password> --2fa <2fa>
+  ./padd.sh --server <DOMAIN|IP> --secret <password> --2fa <2fa>
   ```
 
 ### PADD with Pi-hole in a Docker Container