diff --git a/pkg/config/config.go b/pkg/config/config.go
index e51e45f..7d029a6 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -24,10 +24,6 @@ type Config struct {
 	OpenID OpenID `json:"openid"`
 	Redis  Redis  `json:"redis"`
 
-	Features Features `json:"features"`
-}
-
-type Features struct {
 	Loginstatus Loginstatus `json:"loginstatus"`
 }
 
@@ -56,11 +52,11 @@ const (
 	SessionMaxLifetime = "session-max-lifetime"
 	UpstreamHost       = "upstream-host"
 
-	FeaturesLoginstatusEnabled           = "features.loginstatus.enabled"
-	FeaturesLoginstatusCookieDomain      = "features.loginstatus.cookie-domain"
-	FeaturesLoginstatusCookieName        = "features.loginstatus.cookie-name"
-	FeaturesLoginstatusResourceIndicator = "features.loginstatus.resource-indicator"
-	FeaturesLoginstatusTokenURL          = "features.loginstatus.token-url"
+	LoginstatusEnabled           = "loginstatus.enabled"
+	LoginstatusCookieDomain      = "loginstatus.cookie-domain"
+	LoginstatusCookieName        = "loginstatus.cookie-name"
+	LoginstatusResourceIndicator = "loginstatus.resource-indicator"
+	LoginstatusTokenURL          = "loginstatus.token-url"
 )
 
 func Initialize() (*Config, error) {
@@ -78,11 +74,11 @@ func Initialize() (*Config, error) {
 	flag.Duration(SessionMaxLifetime, time.Hour, "Max lifetime for user sessions.")
 	flag.String(UpstreamHost, "127.0.0.1:8080", "Address of upstream host.")
 
-	flag.Bool(FeaturesLoginstatusEnabled, false, "Feature toggle for Loginstatus, a separate service that should provide an opaque token to indicate that a user has been authenticated previously, e.g. by another application in another subdomain.")
-	flag.String(FeaturesLoginstatusCookieDomain, "", "The domain that the cookie should be set for.")
-	flag.String(FeaturesLoginstatusCookieName, "", "The name of the cookie.")
-	flag.String(FeaturesLoginstatusResourceIndicator, "", "The resource indicator that should be included in the authorization request to get an audience-restricted token that Loginstatus accepts. Empty means no resource indicator.")
-	flag.String(FeaturesLoginstatusTokenURL, "", "The URL to the Loginstatus service that returns an opaque token.")
+	flag.Bool(LoginstatusEnabled, false, "Feature toggle for Loginstatus, a separate service that should provide an opaque token to indicate that a user has been authenticated previously, e.g. by another application in another subdomain.")
+	flag.String(LoginstatusCookieDomain, "", "The domain that the cookie should be set for.")
+	flag.String(LoginstatusCookieName, "", "The name of the cookie.")
+	flag.String(LoginstatusResourceIndicator, "", "The resource indicator that should be included in the authorization request to get an audience-restricted token that Loginstatus accepts. Empty means no resource indicator.")
+	flag.String(LoginstatusTokenURL, "", "The URL to the Loginstatus service that returns an opaque token.")
 
 	redisFlags()
 	openIDFlags()
diff --git a/pkg/router/handler.go b/pkg/router/handler.go
index 2fd6bc3..028aa73 100644
--- a/pkg/router/handler.go
+++ b/pkg/router/handler.go
@@ -43,7 +43,7 @@ func NewHandler(
 		RedirectURL: provider.GetClientConfiguration().GetRedirectURI(),
 		Scopes:      provider.GetClientConfiguration().GetScopes(),
 	}
-	loginstatusClient := loginstatus.NewClient(cfg.Features.Loginstatus, http.DefaultClient)
+	loginstatusClient := loginstatus.NewClient(cfg.Loginstatus, http.DefaultClient)
 
 	return &Handler{
 		Config:        cfg,
diff --git a/pkg/router/handler_callback.go b/pkg/router/handler_callback.go
index 6e6dff8..4935051 100644
--- a/pkg/router/handler_callback.go
+++ b/pkg/router/handler_callback.go
@@ -59,7 +59,7 @@ func (h *Handler) Callback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if h.Config.Features.Loginstatus.Enabled {
+	if h.Config.Loginstatus.Enabled {
 		loginstatusToken, err := h.Loginstatus.ExchangeToken(r.Context(), tokens.AccessToken)
 		if err != nil {
 			h.InternalError(w, r, fmt.Errorf("callback: exchanging loginstatus token: %w", err))
diff --git a/pkg/router/handler_default.go b/pkg/router/handler_default.go
index db68869..e77acf3 100644
--- a/pkg/router/handler_default.go
+++ b/pkg/router/handler_default.go
@@ -20,7 +20,7 @@ func (h *Handler) Default(w http.ResponseWriter, r *http.Request) {
 		isAuthenticated = true
 
 		// force new authentication if loginstatus is enabled and cookie isn't set
-		if h.Config.Features.Loginstatus.Enabled && !h.Loginstatus.HasCookie(r) {
+		if h.Config.Loginstatus.Enabled && !h.Loginstatus.HasCookie(r) {
 			isAuthenticated = false
 		}
 	}
diff --git a/pkg/router/handler_frontchannellogout.go b/pkg/router/handler_frontchannellogout.go
index 8ea9b5a..c1aec11 100644
--- a/pkg/router/handler_frontchannellogout.go
+++ b/pkg/router/handler_frontchannellogout.go
@@ -14,7 +14,7 @@ func (h *Handler) FrontChannelLogout(w http.ResponseWriter, r *http.Request) {
 	// Unconditionally destroy all local references to the session.
 	h.deleteCookie(w, SessionCookieName, h.CookieOptions)
 
-	if h.Config.Features.Loginstatus.Enabled {
+	if h.Config.Loginstatus.Enabled {
 		h.Loginstatus.ClearCookie(w, h.CookieOptions)
 	}
 
diff --git a/pkg/router/handler_logout.go b/pkg/router/handler_logout.go
index a0c7b2b..bfd6d05 100644
--- a/pkg/router/handler_logout.go
+++ b/pkg/router/handler_logout.go
@@ -34,7 +34,7 @@ func (h *Handler) Logout(w http.ResponseWriter, r *http.Request) {
 
 	h.deleteCookie(w, SessionCookieName, h.CookieOptions)
 
-	if h.Config.Features.Loginstatus.Enabled {
+	if h.Config.Loginstatus.Enabled {
 		h.Loginstatus.ClearCookie(w, h.CookieOptions)
 	}
 
diff --git a/pkg/router/login_url.go b/pkg/router/login_url.go
index 037900b..a77c17d 100644
--- a/pkg/router/login_url.go
+++ b/pkg/router/login_url.go
@@ -32,8 +32,8 @@ func (h *Handler) LoginURL(r *http.Request, params *openid.LoginParameters) (str
 	v.Add("code_challenge", params.CodeChallenge)
 	v.Add("code_challenge_method", "S256")
 
-	if h.Config.Features.Loginstatus.NeedsResourceIndicator() {
-		v.Add("resource", h.Config.Features.Loginstatus.ResourceIndicator)
+	if h.Config.Loginstatus.NeedsResourceIndicator() {
+		v.Add("resource", h.Config.Loginstatus.ResourceIndicator)
 	}
 
 	err = h.withSecurityLevel(r, v)
diff --git a/pkg/router/login_url_test.go b/pkg/router/login_url_test.go
index 6b0d473..2ee8684 100644
--- a/pkg/router/login_url_test.go
+++ b/pkg/router/login_url_test.go
@@ -103,8 +103,8 @@ func TestLoginURL_WithResourceIndicator(t *testing.T) {
 	provider := mock.NewTestProvider()
 	provider.OpenIDConfiguration.AuthorizationEndpoint = "https://provider/authorize"
 	handler := newHandler(provider)
-	handler.Config.Features.Loginstatus.Enabled = true
-	handler.Config.Features.Loginstatus.ResourceIndicator = "https://some-resource"
+	handler.Config.Loginstatus.Enabled = true
+	handler.Config.Loginstatus.ResourceIndicator = "https://some-resource"
 	result, err := handler.LoginURL(req, params)
 
 	assert.NotEmpty(t, result)