diff --git a/Makefile b/Makefile
index 771c9dc3..654bfc7e 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-version := "v2.1.0"
+version := "v3.0.0"
 
 commit := $(shell git rev-parse --short HEAD)
 
diff --git a/docs/sso_config.md b/docs/sso_config.md
index bce3194b..21be1df5 100644
--- a/docs/sso_config.md
+++ b/docs/sso_config.md
@@ -138,22 +138,22 @@ There are four configuration options that can be set as environment variables re
 of sso proxy when it authenticates with sso authenticator.
 
 
-The **session_valid_ttl** option controls the amount of time it will take for
+The **session\_ttl\_valid** option controls the amount of time it will take for
 `sso_proxy` to pick up on authentication changes in the 3rd party provider
 (e.g. revoked access, group membership updates).  Once expired, `sso_proxy`
 will make an _internal request_ to `sso_auth` (i.e. invisible to the
 end user) to revalidate & refresh the session.
 
-The **session_lifetime_ttl** option controls the maximum lifetime of a
+The **sessioni\_ttl\_lifetime** option controls the maximum lifetime of a
 `sso_proxy` session, after which a user will be 301 redirected to
 `sso_auth` to go through the 3rd party OAuth2 flow again.
 
-The **cookie_expire** option controls the maximum lifetime of the `sso_proxy`
+The **session\_cookie\_expire** option controls the maximum lifetime of the `sso_proxy`
 cookie stored by a user's web browser, after which a user will also be 301
 redirected to `sso_auth` to go through the 3rd party OAuth2 flow
 again.
 
-The **grace_period_ttl** option controls the duration of the grace period that
+The **session\_ttl\_graceperiod** option controls the duration of the grace period that
 `sso_proxy` grants to existing sessions in the event that `sso_auth`'s
 upstream provider is unavailable. `sso_proxy` starts this grace period whenever
 `sso_auth` returns either a `429 Too Many Requests` or `503 Service
@@ -163,11 +163,11 @@ honored as valid. The grace period ends either after the TTL expires or when
 
 ##### Notes
 
-* For now, the `cookie_expire` value should be greater than or equal to the
+* For now, the `session_cookie_expire` value should be greater than or equal to the
   `session_lifetime_ttl` value. In the future, we should remove the separate
   `cookie_expire` option altogether and just rely on `session_lifetime_ttl`.
 
-* The value of `session_valid_ttl` has a direct impact on the number of
+* The value of `session_ttl_valid` has a direct impact on the number of
   requests we will make to the 3rd party authentication provider, as requests
   to re-validate a user's permissions will be made every time it expires. Tune
   this value to balance between responsiveness to permission changes and
@@ -176,7 +176,7 @@ honored as valid. The grace period ends either after the TTL expires or when
   See [Google service accounts](#google-service-accounts) below to
   check API usage and quotas.
 
-* The grace period defined by `grace_period_ttl` is granted on a per-user basis,
+* The grace period defined by `session_ttl_graceperiod` is granted on a per-user basis,
   starting from the first failure to authenticate.
 
 ### Websockets
diff --git a/quickstart/docker-compose.yml b/quickstart/docker-compose.yml
index 221d75e0..3ce1ab6b 100644
--- a/quickstart/docker-compose.yml
+++ b/quickstart/docker-compose.yml
@@ -29,14 +29,13 @@ services:
     entrypoint: /bin/sso-proxy
     environment:
       # Allow any google account to log in for demo purposes
-      - DEFAULT_ALLOWED_EMAIL_DOMAINS=*
+      - UPSTREAM_DEFAULT_EMAIL_DOMAINS=*
 
       # (Optional) Allow specific google email address to log in for demo purposes
-      # This overrides DEFAULT_ALLOWED_EMAIL_DOMAIN
-      # - DEFAULT_ALLOWED_EMAIL_ADDRESSES=*
+      # - UPSTREAM_DEFAULT_EMAIL_ADDRESSES=*
 
-      - UPSTREAM_CONFIGS=/sso/upstream_configs.yml
-      - PROVIDER_URL=http://sso-auth.localtest.me
+      - UPSTREAM_CONFIGSFILE=/sso/upstream_configs.yml
+      - PROVIDER_URL_EXTERNAL=http://sso-auth.localtest.me
       - PROVIDER_URL_INTERNAL=http://host.docker.internal
 
       # CLIENT_ID and CLIENT_SECRET must match sso-auth's PROXY_CLIENT_ID and
@@ -49,15 +48,15 @@ services:
       #     openssl rand -base64 32
       #
       # to generate your own.
-      - COOKIE_SECRET=WEl0Y054TXNUN2ltTWRkazZ0YmNpRTlucXBPQUY2VHU=
+      - SESSION_COOKIE_SECRET=WEl0Y054TXNUN2ltTWRkazZ0YmNpRTlucXBPQUY2VHU=
 
       # Disable https for demo purposes
-      - COOKIE_SECURE=false
+      - SESSION_COOKIE_SECURE=false
 
       # TODO: these config values should probably have defaults
       - CLUSTER=dev
-      - STATSD_HOST=127.0.0.1
-      - STATSD_PORT=8125
+      - METRICS_STATSD_HOST=127.0.0.1
+      - METRICS_STATSD_PORT=8125
 
       # Tells nginx-proxy service how to route requests to this service
       - VIRTUAL_HOST=*.sso.localtest.me
diff --git a/scripts/dist.sh b/scripts/dist.sh
index d1960ce3..8c40e48d 100755
--- a/scripts/dist.sh
+++ b/scripts/dist.sh
@@ -12,7 +12,7 @@ rm -rf   $DIR/dist
 mkdir -p $DIR/dist
 
 arch=$(go env GOARCH)
-version='2.1.0'
+version='3.0.0'
 goversion=$(go version | awk '{print $3}')
 
 echo "... building v$version for $linux/$arch"