diff --git a/app.go b/app.go
index a375165d..26d7b953 100644
--- a/app.go
+++ b/app.go
@@ -61,6 +61,10 @@ const (
 	errUnsupportedLetsEncryptChallengeType = Error(
 		"unknown value for Lets Encrypt challenge type",
 	)
+
+	DisabledClientAuth = "disabled"
+	RelaxedClientAuth  = "relaxed"
+	EnforcedClientAuth = "enforced"
 )
 
 // Config contains the initial Headscale configuration.
@@ -647,19 +651,19 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 		}
 
 		var clientAuthMode tls.ClientAuthType
-		if h.cfg.TLSClientAuthMode == "disabled" {
+		switch h.cfg.TLSClientAuthMode {
+		case DisabledClientAuth:
 			// Client cert is _not_ required.
 			clientAuthMode = tls.NoClientCert
-		} else if h.cfg.TLSClientAuthMode == "relaxed" {
-			// Client cert required, but not verified.
+		case RelaxedClientAuth:
+			// Client cert required, but _not verified_.
 			clientAuthMode = tls.RequireAnyClientCert
-		} else if h.cfg.TLSClientAuthMode == "enforced" {
-			// Client cert is required and verified.
+		case EnforcedClientAuth:
+			// Client cert is _required and verified_.
 			clientAuthMode = tls.RequireAndVerifyClientCert
-		} else {
-			return nil, errors.New(
-				"Invalid tls_clientAuthMode provided: " +
-					h.cfg.TLSClientAuthMode)
+		default:
+			return nil, Error("Invalid tls_client_auth_mode provided: " +
+				h.cfg.TLSClientAuthMode)
 		}
 
 		log.Info().Msg(fmt.Sprintf(
diff --git a/docs/tls.md b/docs/tls.md
index f8818ce8..19cf16a6 100644
--- a/docs/tls.md
+++ b/docs/tls.md
@@ -37,14 +37,12 @@ using TLS certificates. The capability can be configured by by applying one of
 the following values to the `tls_client_auth_mode` setting in the configuration
 file.
 
-| Value | Behavior |
-| ----- | -------- |
-| `disabled` | Disable mTLS (default). |
-| `relaxed` | A client certificate is required, but it is not verified. |
+| Value      | Behavior                                                   |
+| ---------- | ---------------------------------------------------------- |
+| `disabled` | Disable mTLS (default).                                    |
+| `relaxed`  | A client certificate is required, but it is not verified.  |
 | `enforced` | Requires clients to supply a certificate that is verified. |
 
-
 ```yaml
 tls_client_auth_mode: ""
 ```
-