diff --git a/content/partials/types/_client_options.textile b/content/partials/types/_client_options.textile
index 943c723fa2..d3f0e15ee7 100644
--- a/content/partials/types/_client_options.textile
+++ b/content/partials/types/_client_options.textile
@@ -10,7 +10,7 @@ h4.
 
 <%= partial partial_version('shared/_token_auth_methods') %>
 
-- <span lang="default">tls</span><span lang="csharp,go">Tls</span><span lang="ruby">:tls</span> := _true_ A boolean value, indicating whether or not a TLS ("SSL") secure connection should be used. An insecure connection cannot be used with Basic authentication as it would lead to a possible compromise of the private API key while in transit. "Find out more about TLS":https://faqs.ably.com/are-messages-sent-to-and-received-from-ably-securely-using-tls<br>__Type: @Boolean@__
+- <span lang="default">tls</span><span lang="csharp,go">Tls</span><span lang="ruby">:tls</span> := _true_ A boolean value, indicating whether or not a TLS ("SSL") secure connection should be used. An insecure connection cannot be used with Basic authentication as it would lead to a possible compromise of the private API key while in transit. <span lang="javascript">The JavaScript library uses the TLS version supported by the browser environment.</span><span lang="nodejs">In Node.js, the TLS version is determined by the Node.js runtime version.</span> "Find out more about TLS":/docs/channels/options/encryption#tls<br>__Type: @Boolean@__
 
 - <span lang="default">clientId</span><span lang="csharp,go">ClientId</span><span lang="python">client_id</span><span lang="ruby">:client_id</span> := A client ID, used for identifying this client when publishing messages or for presence purposes. The <span lang="default">@clientId@</span><span lang="ruby,python">@client_id@</span><span lang="csharp,go">@ClientId@</span> can be any non-empty string. This option is primarily intended to be used in situations where the library is instantiated with a key; note that a <span lang="default">@clientId@</span><span lang="ruby,python">@client_id@</span><span lang="csharp,go">@ClientId@</span> may also be implicit in a token used to instantiate the library; an error will be raised if a <span lang="default">@clientId@</span><span lang="ruby,python">@client_id@</span> specified here conflicts with the <span lang="default">@clientId@</span><span lang="ruby,python">@client_id@</span><span lang="csharp,go">@ClientId@</span> implicit in the token. "Find out more about client identities":/docs/auth/identified-clients<br>__Type: @String@__
 
diff --git a/src/pages/docs/auth/capabilities.mdx b/src/pages/docs/auth/capabilities.mdx
index fd25089dc0..54ec81bc7a 100644
--- a/src/pages/docs/auth/capabilities.mdx
+++ b/src/pages/docs/auth/capabilities.mdx
@@ -7,7 +7,17 @@ API keys and Ably-compatible tokens, have a set of capabilities assigned to them
 
 API keys are long-lived, secret and typically not shared with clients. API key capabilities are configured using the [dashboard](https://ably.com/dashboard), or using the [Control API](/docs/platform/account/control-api).
 
-Ably-compatible tokens are designed to be shared with untrusted clients, are short-lived, and can be configured and issued programmatically. See [selecting an authentication mechanism](/docs/auth#selecting-auth) to understand why token authentication is the preferred option in most scenarios.
+Ably-compatible tokens are designed to be shared with untrusted clients, are short-lived, and can be configured and issued programmatically. For restricting client access to channels, tokens provide far more flexibility and security than API key capabilities. See [selecting an authentication mechanism](/docs/auth#selecting-auth) to understand why token authentication is the preferred option in most scenarios.
+
+### Capability changes and existing connections
+
+<Aside data-type='important'>
+When you change a key's capabilities in the dashboard, existing connections using that key do **not** receive the updated capabilities immediately. Connections must be closed and re-opened to pick up the new capabilities.
+</Aside>
+
+Once created, it's best to think of keys and tokens as being immutable. To modify the permissions granted to existing connections, the recommended approach is to use [token authentication](/docs/auth/token) and issue the client a new token with the updated permissions you want them to have.
+
+The one exception is if a key is revoked entirely, in which case all connections using that key (or a token derived from that key) will be forcibly terminated. See [token revocation](/docs/auth/revocation) for more information.
 
 ## Resource names and wildcards <a id="wildcards"/>
 
diff --git a/src/pages/docs/auth/index.mdx b/src/pages/docs/auth/index.mdx
index 171144ce70..51949e95e5 100644
--- a/src/pages/docs/auth/index.mdx
+++ b/src/pages/docs/auth/index.mdx
@@ -22,6 +22,22 @@ redirect_from:
 
 Before a client or server can issue requests to Ably, such as subscribe to channels, or publish messages, it must authenticate with Ably. Authentication requires an Ably API key.
 
+## Authentication terminology <a id="terminology"/>
+
+The following terminology helps explain authentication, authorization, and identification in the context of the Ably service:
+
+"Authentication" is the process of deciding, based on the presented credentials, whether or not an entity may interact with the Ably service. The credentials may be presented explicitly using [Basic Authentication](/docs/auth/basic) or [Token Authentication](/docs/auth/token), or in some cases the entity authenticating may prove possession of the credentials with a signed Token Request that is subsequently used to generate a valid token to be used for Token Authentication. When authenticating with Ably, the credentials are either an API key or an auth token.
+
+"Authenticated client" is a client of the Ably service that has been successfully authenticated.
+
+"Authorization" is the process of deciding whether or not a given entity (usually authenticated) is allowed to perform a given operation. In Ably, authorization for most operations is based on the [capabilities](/docs/auth/capabilities) associated with the key or token that was used to authenticate a client.
+
+"Identified client" is an authenticated client with a specific claimed client identity, or `clientId`, whose credentials are verified as confirming that identity. See the [identified clients](/docs/auth/identified-clients) documentation for more information.
+
+<Aside data-type='note'>
+Channels can be configured to only allow [identified clients](/docs/auth/identified-clients). Learn more about [channel rules](/docs/channels#rules).
+</Aside>
+
 ## Ably API keys <a id="api-keys"/>
 
 Every Ably app can have one or more API keys associated with it in order to authenticate directly with Ably, or to issue tokens with. API keys can be created with different [capabilities](/docs/auth/capabilities) and any tokens issued using that API key can only permit a subset of those capabilities.
diff --git a/src/pages/docs/auth/token.mdx b/src/pages/docs/auth/token.mdx
index e2927166f7..7da22d1b33 100644
--- a/src/pages/docs/auth/token.mdx
+++ b/src/pages/docs/auth/token.mdx
@@ -7,11 +7,29 @@ Token authentication uses a trusted device with an [API key](/docs/auth#api-key)
 
 Token authentication is the recommended authentication method to use client-side as it provides more fine-grained access control and limits the risk of credentials being exposed.
 
+## Access restrictions <a id="restrictions"/>
+
+### Token-based client validation
+
+Token authentication enables you to validate client characteristics (such as origin, IP address, cookies, or any other client features) in your authentication server before issuing tokens. This provides flexible access control as you can implement any validation logic in your auth server as part of the token issuance process.
+
+### API key restrictions
+
+For cases where token authentication is impractical, Ably can add origin or IP address restrictions directly to API keys. However, this approach has significant limitations:
+
+- Less flexible than token authentication.
+- Manual intervention required to modify restrictions.
+- Enterprise support packages only: contact [Ably support](https://ably.com/support) if interested.
+- Not a security boundary: origin headers can be easily spoofed, especially outside browser contexts.
+- Permissive fallback: requests with no origin header are allowed when origin restrictions are set.
+
+For maximum security and flexibility, token authentication with server-side validation is the recommended approach.
+
 Any of the following cause an SDK to use token authentication:
 
-* An [`authUrl`](/docs/api/realtime-sdk/types#client-options) or [`authCallback`](/docs/api/realtime-sdk/types#client-options) is provided that returns an Ably-compatible token or an Ably [`TokenRequest`](/docs/api/realtime-sdk/types#token-request)
-* [`useTokenAuth`](/docs/api/realtime-sdk/types#client-options) is true
-* A [`token`](/docs/api/realtime-sdk/types#client-options) or [`tokenDetails`](/docs/api/realtime-sdk/types#client-options) property is provided
+* An [`authUrl`](/docs/api/realtime-sdk/types#client-options) or [`authCallback`](/docs/api/realtime-sdk/types#client-options) is provided that returns an Ably-compatible token or an Ably [`TokenRequest`](/docs/api/realtime-sdk/types#token-request).
+* [`useTokenAuth`](/docs/api/realtime-sdk/types#client-options) is true.
+* A [`token`](/docs/api/realtime-sdk/types#client-options) or [`tokenDetails`](/docs/api/realtime-sdk/types#client-options) property is provided.
 
 Providing a literal `token` or `tokenDetails` is typically used for testing: since tokens are short-lived, in production you typically want to use an authentication method that allows the client library to renew the token automatically before the current token expires.
 
@@ -1054,3 +1072,116 @@ When selecting an Ably SDK for implementing token authentication with Ably, you
 
 As basic authentication is primarily designed for authenticating a secure server, in this situation, and assuming the server is only used for authentication, it is more efficient to use the REST interface, as the overhead associated with maintaining a realtime connection, is not required to issue tokens.
 </Aside>
+
+## Incremental authorization and reauth <a id="incremental-auth"/>
+
+Ably's authentication uses a system of immutable tokens. Once created, tokens have a fixed set of [capabilities](/docs/auth/capabilities) that cannot be modified. However, there are scenarios where clients may need additional capabilities after their initial connection.
+
+### Reauthorization process
+
+When a client needs new capabilities, it can reauthorize by obtaining a new token from your auth server and calling [`auth.authorize()`](/docs/api/realtime-sdk/authentication#authorize). This upgrades the connection to use the new token without disrupting the existing connection or requiring reconnection.
+
+### Reauthorization strategies
+
+Choose the strategy that best fits your application architecture:
+
+#### Server-determined capabilities
+
+Best for applications with session management where the server maintains complete client state.
+
+Your auth server tracks the canonical list of capabilities each client should have. When the client requests a new token, the server generates it with the complete capability set. This is the most secure approach as the server is the single source of truth.
+
+#### Client-requested capabilities
+
+Best for applications where clients need to request specific additional capabilities.
+
+The client can request additional capabilities by including them in the token request:
+
+- With `authUrl`: Use `authParams` or `authHeaders` in [client options](/docs/api/realtime-sdk/types#client-options) to send capability requests.
+- With `authCallback`: Construct a custom request to your server with the needed capabilities.
+
+Your server validates the request, updates its records of client capabilities, and issues a token with the complete capability set.
+
+#### Client-managed capabilities
+
+Best for stateless auth servers that cannot maintain client sessions.
+
+The client maintains its own list of needed capabilities and sends the complete list to the server on each token request. The server validates each capability before issuing the token.
+
+#### Signed capability storage
+
+Best for stateless servers where re-validation of all capabilities is expensive.
+
+Store client capabilities in a signed format (HMAC-signed cookie) to avoid trusting the client. When requesting new capabilities:
+
+1. Server verifies the signature of existing capabilities.
+2. Adds the new capability to the validated set.
+3. Issues a token and updates the signed storage.
+
+### Handling capability errors
+
+When a client attempts an operation without proper capabilities, Ably returns an error with code `40160`. You can catch this error and trigger reauthorization:
+
+```javascript
+channel.attach((err) => {
+  if(err && err.code === 40160) {
+    console.log("Access denied - requesting new token with required capabilities");
+
+    // Update your capability requirements
+    channelsINeedAccessTo.push(channel.name);
+
+    // Reauthorize with new capabilities
+    realtime.auth.authorize((authErr) => {
+      if(!authErr) {
+        // Retry the original operation
+        channel.attach();
+      }
+    });
+  }
+});
+```
+
+### Best practices
+
+- **Server validation**: Always validate that clients should have access to requested capabilities
+- **Minimal privileges**: Issue tokens with only the capabilities clients actually need
+- **Token expiration**: Use appropriate token TTLs to balance security and performance
+- **Error handling**: Implement robust error handling for capability-related failures
+- **State management**: Choose the capability management strategy that fits your application's architecture
+
+## WebSocket security considerations <a id="websocket-security"/>
+
+When using tokens with WebSocket connections, developers often have concerns about including access tokens in WebSocket connection URLs as query parameters.
+
+### Token placement security
+
+From a security perspective, the location where an access token is stored (URL query parameters, headers, or message content) provides equivalent protection when connections use TLS:
+
+- All connection data, including URLs and query parameters, are encrypted in transit.
+- An attacker with access to inspect traffic can access tokens regardless of their location.
+- TLS tunnels prevent proxies from accessing URL contents.
+
+### Historical security concerns
+
+Traditional concerns about credentials in query parameters arose from non-TLS environments and don't apply to modern WebSocket implementations:
+
+Addressed concerns:
+- Proxies cannot access URLs when using TLS tunnels.
+- Browsers don't maintain history for WebSocket connections made by pages.
+- TLS prevents intermediate systems from logging connection URLs.
+
+Modern context:
+- Most OAuth flows use `access_token` query parameters as standard practice.
+- WebSocket connections default to TLS encryption.
+- Client WebSocket implementations often don't support custom headers, making query parameters the practical choice.
+
+### Recommendations
+
+- Always establish WebSocket connections over TLS (WSS protocol).
+- Use tokens with appropriate expiration times.
+- Implement automatic token refresh for long-lived connections.
+- Log and monitor token usage patterns for anomalies.
+
+<Aside data-type='note'>
+The security of your WebSocket authentication depends primarily on using TLS encryption and proper token management practices, rather than the specific method of token transmission.
+</Aside>
diff --git a/src/pages/docs/channels/index.mdx b/src/pages/docs/channels/index.mdx
index d326c89279..32a4307fbb 100644
--- a/src/pages/docs/channels/index.mdx
+++ b/src/pages/docs/channels/index.mdx
@@ -217,3 +217,15 @@ Channel [history](/docs/storage-history/history) enables clients to retrieve mes
 ## Presence <a id="presence"/>
 
 The [presence](/docs/presence-occupancy/presence) feature enables clients to be aware of other clients that are 'present' on the channel. Client status is updated as they enter or leave the presence set. Clients can also provide an optional payload describing their status or attributes, and trigger an update event at any time.
+
+## Channel groups <a id="channel-groups"/>
+
+Ably does not support channel groups, a concept used by some other providers where channels are placed into groups to work around limitations in dynamically subscribing or unsubscribing from channels.
+
+**Why Ably doesn't need channel groups:**
+
+* With Ably client libraries, you can add or remove subscriptions to channels dynamically at any tie.
+* All channels operate over a single efficient connection.
+* Channel namespaces already provide grouping functionality for configuration purposes.
+
+Instead of channel groups, simply subscribe to the specific channels your client needs access to. The efficient multiplexing ensures optimal performance regardless of the number of channels.
diff --git a/src/pages/docs/channels/options/encryption.mdx b/src/pages/docs/channels/options/encryption.mdx
index 9d7fe6ce13..fc8c1aa673 100644
--- a/src/pages/docs/channels/options/encryption.mdx
+++ b/src/pages/docs/channels/options/encryption.mdx
@@ -14,13 +14,62 @@ redirect_from:
 
 [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security) is enabled by default in Ably SDKs so that data is securely sent to, and received from, Ably. However, messages are not encrypted within the Ably system. Use the encryption channel option to ensure that message payloads are opaque, that they can't be decrypted by Ably, and can only be decrypted by other clients that share your secret key.
 
+## TLS transport security <a id="tls"/>
+
+All Ably client libraries use TLS by default when communicating with Ably over REST or via realtime transports such as WebSockets. This provides a secure transport for communication with Ably, ensuring that messages in transit cannot be intercepted, inspected, or tampered with.
+
+### Disabling TLS
+
+If you need to disable TLS (typically to reduce communication overhead for public data streams), you can specify `tls: false` in your [client options](/docs/api/realtime-sdk#client-options) when instantiating a Realtime or REST library.
+
+<Aside data-type='warning'>
+Disabling TLS is strongly discouraged and is disabled by default in all client libraries for security reasons.
+</Aside>
+
+### TLS restrictions
+
+Unencrypted communication with Ably is **disallowed** if any of the following conditions are met:
+
+* You attempt to use [Basic Authentication](/docs/auth/basic) and thus transmit a private API key over an unencrypted connection. You are only permitted to use unencrypted connections with [Token Authentication](/docs/auth/token) as tokens expire, limiting the impact of token interception.
+
+* You have specified that TLS is required in your [app settings](/docs/platform/account/app/settings).
+
+* A client using an unencrypted connection attempts to attach to a channel that is configured to be used with [TLS only](/docs/channels#rules).
+
+### TLS version support
+
+Ably endpoints support TLS 1.2 and TLS 1.3, providing modern, secure encryption methods that protect your data and communications from malicious attacks.
+
+**Automatic version negotiation:**
+Ably automatically defaults to the highest TLS version supported by both the client and server. If both support TLS 1.3, it will be used by default as it provides the most secure and efficient connection.
+
+Benefits of TLS 1.2 and 1.3:
+- Protection against vulnerabilities such as man-in-the-middle attacks.
+- TLS 1.3 reduces round trips during handshake for quicker connections.
+- Forward secrecy and improved encryption algorithms.
+- Modern environments support these versions by default.
+
+#### Legacy TLS versions
+
+TLS 1.0 and 1.1 are deprecated and [will be sunset in June 2025](/docs/platform/deprecate/tls-v1-1). These older versions pose security risks and should be avoided. If using legacy systems, update them to support TLS 1.2 or higher.
+
+#### Client configuration
+
+Most modern clients and libraries are configured automatically to use TLS 1.2+ by default. The JavaScript library uses the TLS version supported by the browser environment, while Node.js uses the version determined by the Node.js runtime.
+
+### TLS vs. message encryption
+
+While TLS encryption ensures that messages in transit to and from Ably cannot be intercepted, inspected, or tampered with, it does not ensure that the Ably service itself is unable to inspect your messages and their content. If you want to ensure that all messages are encrypted and inaccessible to even Ably, consider using the [message-level encryption](#with-ably) feature included in the client libraries.
+
 Setting encryption using channel options means that encryption is a feature that can be set per-channel. Apps may have both un-encrypted and encrypted channels on a single connection.
 
-## Encryption with Ably <a id="with-ably"/>
+## Cross-platform symmetric encryption <a id="with-ably"/>
+
+All officially supported Ably client libraries provide **cross-platform symmetric encryption**, ensuring that encrypted messages can be sent from one platform and successfully decrypted on any other supported platform.
 
 Ably SDKs support encryption purely as a convenience. The SDKs ensure interoperability between environments by having compatible implementations of encryption algorithms and by making common choices on things such as format, mode and padding. However, Ably intentionally does not manage the distribution of keys between clients, and end-to-end encryption is enabled without exposing keys to the Ably service at all. This has the advantage that Ably has no access to the un-encrypted contents of your messages, but also means that each app is responsible for enabling the distribution of keys to clients independently of Ably.
 
-Encryption with Ably supports symmetric encryption only and requires each participating client to each specify the correct [`CipherParams`](/docs/api/realtime-sdk/encryption#cipher-params) secret `key` when creating a `channel` instance. Clients that do not specify a key will receive the still-encrypted message payloads, that they can subsequently decrypt offline if necessary.
+Encryption with Ably supports **symmetric encryption only** and requires each participating client to each specify the correct [`CipherParams`](/docs/api/realtime-sdk/encryption#cipher-params) secret `key` when creating a `channel` instance. Clients that do not specify a key will receive the still-encrypted message payloads, that they can subsequently decrypt offline if necessary.
 
 Only the AES algorithm, with a default key length of 256 bits, and CBC mode are supported. These defaults are intended to ensure that encryption support can be provided in all target environments and platforms.
 
diff --git a/src/pages/docs/connect/index.mdx b/src/pages/docs/connect/index.mdx
index f79cf245c4..fde8e087a3 100644
--- a/src/pages/docs/connect/index.mdx
+++ b/src/pages/docs/connect/index.mdx
@@ -8,7 +8,19 @@ redirect_from:
   - /docs/realtime/versions/v0.8/connection
 ---
 
-Clients establish and maintain a connection to the Ably service using the most efficient transport available, typically [WebSockets](https://ably.com/topic/websockets). Ably SDKs operate and multiplex all [channel](/docs/channels) traffic over that connection. This maximizes throughput, minimizes bandwidth consumption, and reduces power usage. Once connected, clients can monitor and manage their [connection state](/docs/connect/states).
+Clients establish and maintain a connection to the Ably service using the most efficient transport available, typically [WebSockets](https://ably.com/topic/websockets).
+
+## Connection multiplexing <a id="multiplexing"/>
+
+Ably SDKs operate and multiplex all [channel](/docs/channels) traffic over a single connection. This means you can publish and subscribe to messages on any number of channels simultaneously using just one transport connection. This approach:
+
+* Maximizes throughput by efficiently utilizing the available connection.
+* Minimizes bandwidth consumption by avoiding multiple connection overhead.
+* Reduces power usage by maintaining fewer active connections.
+
+All Ably client libraries support multiplexing by default when using the realtime interface. You can dynamically subscribe and unsubscribe from channels at any time without needing to establish new connections.
+
+Once connected, clients can monitor and manage their [connection state](/docs/connect/states).
 
 <Aside data-type="note">
 Connections can only be established using the realtime interface of an Ably SDK. See [About Pub/Sub](/docs/basics) for further information on the differences between the REST and realtime interface.
diff --git a/src/pages/docs/connect/states.mdx b/src/pages/docs/connect/states.mdx
index 6b929c0a76..e2a25e4ecc 100644
--- a/src/pages/docs/connect/states.mdx
+++ b/src/pages/docs/connect/states.mdx
@@ -13,6 +13,54 @@ An Ably SDK is responsible for managing a connection. This includes:
 * Selecting a new host to connect to when automatically falling back to an alternate datacenter if needed.
 * Managing continuity of operation when the connection drops.
 
+## Transport selection and upgrade <a id="transport-selection"/>
+
+### Supported transports
+
+The JavaScript browser library supports the following transports, listed in order of preference:
+
+1. **WebSockets** - The preferred transport for real-time bidirectional communication
+2. **XHR streaming** - HTTP-based streaming transport for browsers that support it
+3. **XHR polling** - HTTP-based polling transport with good browser compatibility
+4. **JSONP polling** - Fallback transport for browsers with CORS limitations
+
+### Transport selection process
+
+When a browser client library first connects to Ably:
+
+1. **Initial connection**: The library starts with the best available HTTP-based transport (XHR streaming, XHR polling, or JSONP polling in that order of priority)
+2. **WebSocket upgrade**: A WebSocket connection is then attempted on browsers that support it
+3. **Seamless migration**: When the WebSocket connection succeeds, the library seamlessly migrates to the new connection
+
+This approach ensures compatibility with environments where WebSockets may be blocked or subtly broken, such as some corporate proxies. Starting with an HTTP-based transport provides a connection that works immediately, while the upgrade to WebSockets happens in the background.
+
+### Customizing transport behavior
+
+You can customize this behavior using the [`transports`](/docs/api/realtime-sdk#client-options) client option:
+
+```javascript
+// Force immediate WebSocket connection (bypass Comet upgrade step)
+const ably = new Ably.Realtime({
+  key: 'your-api-key',
+  transports: ['web_socket']
+});
+
+// Specify transport preference order
+const ably = new Ably.Realtime({
+  key: 'your-api-key', 
+  transports: ['web_socket', 'xhr_polling']
+});
+```
+
+<Aside data-type='important'>
+**Version 2 changes**: In v2 of the JavaScript library, the transport behavior has changed significantly:
+- XHR streaming and XHR transports are no longer requested
+- JSONP transport is no longer requested  
+- WebSocket connections may be affected in environments where they are blocked
+
+See the [v2 migration guide](/docs/sdk/js/v2-migration) for full migration details.
+</Aside>
+
 When an SDK is instantiated it will establish a connection immediately, and if the connection drops at any time it will attempt to re-establish it by making repeated connection attempts every 15 seconds for up to two minutes.
 
 ## Available connection states <a id="connection-states"/>
diff --git a/src/pages/docs/metadata-stats/stats.mdx b/src/pages/docs/metadata-stats/stats.mdx
index b4f4b4d32c..3529312aad 100644
--- a/src/pages/docs/metadata-stats/stats.mdx
+++ b/src/pages/docs/metadata-stats/stats.mdx
@@ -43,7 +43,7 @@ curl --request GET \
 This endpoint returns a [statistics response type](#payload) including [account-only metrics](#account-only).
 
 <Aside data-type='note'>
-  To obtain your `ACCOUNT_ID`, you can use `/me` Control API endpoint to find your `ACCOUNT_ID`, or alternatively find it in the [**Settings**](https://ably.com/accounts/any/edit) page of your account dashboard:
+  To obtain your `ACCOUNT_ID`, you can use `/me` Control API endpoint to find your `ACCOUNT_ID`, or alternatively find it in the [Settings](https://ably.com/accounts/any/edit) page of your account dashboard:
 </Aside>
 
 <Code>
@@ -85,7 +85,7 @@ curl 'https://control.ably.net/v1/apps/${APP_ID}/stats' \
 This endpoint returns a [statistics response type](#payload).
 
 <Aside data-type='note'>
-    The `APP_ID` can be found in the [**Settings**](https://ably.com/accounts/any/apps/any/edit) tab of an application within your dashboard.
+    The `APP_ID` can be found in the [Settings](https://ably.com/accounts/any/apps/any/edit) tab of an application within your dashboard.
 </Aside>
 
 ### App statistics via SDK <a id="app-sdk"/>
@@ -360,41 +360,45 @@ The following metadata is returned for each entry:
 
 | Property | Description |
 | --- | --- |
-| **appId** | The ID of the Ably application the statistics are for. Only present when querying app statistics. |
-| **accountId** | The ID of the Ably account the statistics are for. Only present when querying account statistics. |
-| **intervalId** | Start time for the stats entry. Format is `yyyy-mm-dd:hh:mm` for `unit=minute`, and `yyyy-mm-dd:hh` for `unit=hour,day,month`. |
-| **unit** | Unit of time that the stats entry covers. One of `minute`, `hour`, `day` or `month`. |
-| **schema** | URI of the stats schema. |
-| **inProgress** | The last sub-interval included in this entry in the format `yyyy-mm-dd:hh:mm:ss`, else undefined. For entries that are still in progress, such as the current month. |
+| appId | The ID of the Ably application the statistics are for. Only present when querying app statistics. |
+| accountId | The ID of the Ably account the statistics are for. Only present when querying account statistics. |
+| intervalId | Start time for the stats entry. Format is `yyyy-mm-dd:hh:mm` for `unit=minute`, and `yyyy-mm-dd:hh` for `unit=hour,day,month`. |
+| unit | Unit of time that the stats entry covers. One of `minute`, `hour`, `day` or `month`. |
+| schema | URI of the stats schema. |
+| inProgress | The last sub-interval included in this entry in the format `yyyy-mm-dd:hh:mm:ss`, else undefined. For entries that are still in progress, such as the current month. |
 
 ### All messages <a id="messages"/>
 
 All messages metrics include all messages types, such as those sent and received by Ably and clients, messages delivered via integrations and push notifications delivered to devices.
 
+Failed vs. Refused messages:
+- Failed messages are those that did not succeed for reasons other than Ably actively rejecting them, such as external integration target rejections or Ably service issues.
+- Refused messages are those that Ably actively chose to reject, typically due to rate limiting, malformed messages, or insufficient client permissions.
+
 | Metric | Description |
 | --- | --- |
-| **messages.all.all.count** | Total number of messages that were successfully received and sent by Ably, summed over all message types and transports. |
-| **messages.all.all.billableCount** | Total number of billable messages that were successfully received and sent by Ably, summed over all message types and transports. |
-| **messages.all.all.data** | Total data in messages successfully received and sent by Ably, summed over all message types and transports. |
-| **messages.all.all.uncompressedData** | Total data in messages successfully received and sent by Ably, excluding savings provided by delta compression. |
-| **messages.all.all.failed** | Total number of messages that failed. These are messages which did not succeed for some reason other than Ably explicitly refusing them, such as they were rejected by an external integration target, or a service issue on Ably's side. |
-| **messages.all.all.refused** | Total number of messages that were refused by Ably. For example, due to [rate limiting](/docs/platform/pricing/limits), malformed messages, or incorrect client permissions.|
-| **messages.all.messages.count** | Total message count, excluding presence and object messages. |
-| **messages.all.messages.billableCount** | Total billable message count, excluding presence and object messages. |
-| **messages.all.messages.data** | Total message size, excluding presence and object messages. |
-| **messages.all.messages.uncompressedData** | Total number of messages that failed. These are messages which did not succeed for some reason other than Ably explicitly refusing them, such as they were rejected by an external integration target, or a service issue on Ably's side. |
-| **messages.all.messages.failed** | Total number of messages excluding presence and object messages that failed. These are messages which did not succeed for some reason other than Ably explicitly refusing them, such as they were rejected by an external integration target, or a service issue on Ably's side. |
-| **messages.all.messages.refused** | Total number of messages excluding presence and object messages that were refused by Ably. For example, due to [rate limiting](/docs/platform/pricing/limits), malformed messages, or incorrect client permissions. |
-| **messages.all.presence.count** | Total presence message count. |
-| **messages.all.presence.billableCount** | Total billable presence message count. |
-| **messages.all.presence.data** | Total presence message size. |
-| **messages.all.presence.uncompressedData** | Total uncompressed presence message size, excluding delta compression. |
-| **messages.all.objects.count** | Total objects message count. |
-| **messages.all.objects.billableCount** | Total billable objects message count. |
-| **messages.all.objects.data** | Total objects message size. |
-| **messages.all.objects.uncompressedData** | Total uncompressed objects message size, excluding delta compression. |
-| **messages.all.messages.failed** | Total number of presence messages excluding presence and object messages that failed. These are messages which did not succeed for some reason other than Ably explicitly refusing them, such as they were rejected by an external integration target, or a service issue on Ably's side. |
-| **messages.all.messages.refused** | Total number of presence messages excluding presence and object messages that were refused by Ably. For example, due to [rate limiting](/docs/platform/pricing/limits), malformed messages, or incorrect client permissions. |
+| `messages.all.all.count` | Total number of messages that were successfully received and sent by Ably, summed over all message types and transports. |
+| `messages.all.all.billableCount` | Total number of billable messages that were successfully received and sent by Ably, summed over all message types and transports. |
+| `messages.all.all.data` | Total data in messages successfully received and sent by Ably, summed over all message types and transports. |
+| `messages.all.all.uncompressedData` | Total data in messages successfully received and sent by Ably, excluding savings provided by delta compression. |
+| `messages.all.all.failed` | Total number of messages that failed. These are messages which did not succeed for some reason other than Ably explicitly refusing them, such as they were rejected by an external integration target, or a service issue on Ably's side. |
+| `messages.all.all.refused` | Total number of messages that were refused by Ably. For example, due to [rate limiting](/docs/platform/pricing/limits), malformed messages, or incorrect client permissions.|
+| `messages.all.messages.count` | Total message count, excluding presence and object messages. |
+| `messages.all.messages.billableCount` | Total billable message count, excluding presence and object messages. |
+| `messages.all.messages.data` | Total message size, excluding presence and object messages. |
+| `messages.all.messages.uncompressedData` | Total number of messages that failed. These are messages which did not succeed for some reason other than Ably explicitly refusing them, such as they were rejected by an external integration target, or a service issue on Ably's side. |
+| `messages.all.messages.failed` | Total number of messages excluding presence and object messages that failed. These are messages which did not succeed for some reason other than Ably explicitly refusing them, such as they were rejected by an external integration target, or a service issue on Ably's side. |
+| `messages.all.messages.refused` | Total number of messages excluding presence and object messages that were refused by Ably. For example, due to [rate limiting](/docs/platform/pricing/limits), malformed messages, or incorrect client permissions. |
+| `messages.all.presence.count` | Total presence message count. |
+| `messages.all.presence.billableCount` | Total billable presence message count. |
+| `messages.all.presence.data` | Total presence message size. |
+| `messages.all.presence.uncompressedData` | Total uncompressed presence message size, excluding delta compression. |
+| `messages.all.objects.count` | Total objects message count. |
+| `messages.all.objects.billableCount` | Total billable objects message count. |
+| `messages.all.objects.data` | Total objects message size. |
+| `messages.all.objects.uncompressedData` | Total uncompressed objects message size, excluding delta compression. |
+| `messages.all.messages.failed` | Total number of presence messages excluding presence and object messages that failed. These are messages which did not succeed for some reason other than Ably explicitly refusing them, such as they were rejected by an external integration target, or a service issue on Ably's side. |
+| `messages.all.messages.refused` | Total number of presence messages excluding presence and object messages that were refused by Ably. For example, due to [rate limiting](/docs/platform/pricing/limits), malformed messages, or incorrect client permissions. |
 
 ### Inbound messages <a id="inbound"/>
 
@@ -698,6 +702,8 @@ Push notification metrics include all [notifications](/docs/push) sent to device
 
 The following metrics will only be returned when querying account statistics.
 
+Peak rates are measured as a 24-second rolling average window. The reported peak rate for any given minute is the maximum value that this 24-second moving average reached during that minute. This measurement helps you monitor how close you are to hitting instantaneous rate limits, which may not be obvious from standard minute-by-minute statistics, especially with spiky usage patterns.
+
 | Metric | Description |
 | --- | --- |
 | **peakRates.messages** | Peak rate of messages. |
diff --git a/src/pages/docs/platform/account/app/api.mdx b/src/pages/docs/platform/account/app/api.mdx
index 7cdebcf2b5..2421063578 100644
--- a/src/pages/docs/platform/account/app/api.mdx
+++ b/src/pages/docs/platform/account/app/api.mdx
@@ -8,6 +8,10 @@ redirect_from:
 
 The API keys tab lists all API keys associated with your account and provides information on each key's capabilities and restrictions. You can [create a new API key](#create) and manage an existing one.
 
+<Aside data-type='note'>
+Before setting up multiple API keys with different permissions or sharing API keys with untrusted parties, consider using [token authentication](/docs/auth/token) instead. Token authentication provides more flexible access control and better security for client-side applications.
+</Aside>
+
 ## Create a new API key <a id="create"/>
 
 The following steps create a new API Key:
@@ -39,10 +43,16 @@ Set resource restrictions to control access to channels and queues, ranging from
 
 | Restriction | Description |
 | ----------- | ----------- |
-| **None** | No restrictions; access any channel or queue. |
-| **Only channels** | Access any channel but not queues. |
-| **Only queues** | Access any queue but not channels. |
-| **Selected channels and queues** | Specify explicit rules for access. |
+| None | No restrictions; access any channel or queue. |
+| Only channels | Access any channel but not queues. |
+| Only queues | Access any queue but not channels. |
+| Selected channels and queues | Specify explicit rules for access. |
+
+When specifying selected channels and queues, you can provide a comma-separated list of resources. Each resource can match a single channel (e.g., `channel-name`) or multiple channels using wildcards (e.g., `namespace:*`). Queues use the prefix `[queue]` and meta channels use `[meta]`. See [capabilities documentation](/docs/auth/capabilities#wildcards) for detailed wildcard syntax.
+
+<Aside data-type='important'>
+A single API key cannot support complex permission combinations, such as publish access on one channel and subscribe access on another. For such requirements, use [token authentication](/docs/auth/token) instead.
+</Aside>
 
 ### Revocable tokens
 
@@ -50,7 +60,7 @@ Set resource restrictions to control access to channels and queues, ranging from
 
 | Option | Description |
 | ------ | ----------- |
-| **Revocable tokens** | Implement security measures by setting shorter token lifetimes and enabling the ability to revoke tokens issued by the API key. |
+| Revocable tokens | Implement security measures by setting shorter token lifetimes and enabling the ability to revoke tokens issued by the API key. |
 
 ### Change your API key settings
 
diff --git a/src/pages/docs/platform/account/app/settings.mdx b/src/pages/docs/platform/account/app/settings.mdx
index 311ad766b3..9fece07500 100644
--- a/src/pages/docs/platform/account/app/settings.mdx
+++ b/src/pages/docs/platform/account/app/settings.mdx
@@ -17,7 +17,7 @@ The following provides an overview of your application settings.
 | **App ID** | This ID is automatically generated by Ably when you create an application. It is a critical part of your application's identity and is included in every API key and token issued for your application. |
 | **Name** | This is the user-defined name that you assigned when creating your application. It is helpful for quickly identifying the application among others in your dashboard, especially if you manage multiple applications. |
 | **Security** | Enabled by default, this option enforces Transport Layer Security (TLS) for all connections to your application. TLS protocol ensures data encryption and secure communication between clients and servers. |
-| **Enabled** | When an application is **disabled**, it no longer accepts new connections and deactivates all associated services. Clients cannot connect, send or receive messages, or use other Ably services. When **enabled**, the application allows new connections and activates all related services. |
+| **Enabled** | When an application is disabled, it no longer accepts new connections and deactivates all associated services. Clients cannot connect, send or receive messages, or use other Ably services. When enabled, the application allows new connections and activates all related services. |
 
 ### Channel rule configuration
 
@@ -25,15 +25,15 @@ The following explains the configuration rules for specific [namespaces](/docs/c
 
 | Section | Description |
 | ------- | ----------- |
-| **Namespace or channel ID** | Identify the specific namespace or channel to which this rule will apply. |
-| **Persist last message** | Stores the last message published on a channel for 365 days, accessible via the rewind mechanism. |
-| **Persist all messages** | Ably stores all messages for two minutes by default. Depending on your account package, this can be increased to 24 or 72 hours. It is also possible to persist the last message sent to a channel for a year. |
-| **Identified** | Requires clients to authenticate with a client ID to interact with channels in this namespace. |
-| **TLS only** | Restricts access to channels within this namespace to clients connected using TLS. |
-| **Push notifications enabled** | Enables publishing messages with a push payload, triggering native push notifications to registered devices. |
-| **Message interactions enabled** | Enables unique time serial fields in messages, enabling typed references between messages (e.g., implementing 'Likes' in a chat). |
-| **Server-side batching enabled** | Batches inbound messages on the server side before sending them to subscribers based on the configured policy. |
-| **Cancel** | Discards changes and closes the dialog without saving the new rule.|
+| Namespace or channel ID | Identify the specific namespace or channel to which this rule will apply. |
+| Persist last message | Stores the last message published on a channel for 365 days, accessible via the rewind mechanism. |
+| Persist all messages | Ably stores all messages for two minutes by default. Depending on your account package, this can be increased to 24 or 72 hours. It is also possible to persist the last message sent to a channel for a year. |
+| Identified | Requires clients to authenticate with a client ID to interact with channels in this namespace. |
+| TLS only | Restricts access to channels within this namespace to clients connected using TLS. |
+| Push notifications enabled | Enables publishing messages with a push payload, triggering native push notifications to registered devices. |
+| Message interactions enabled | Enables unique time serial fields in messages, enabling typed references between messages (e.g., implementing 'Likes' in a chat). |
+| Server-side batching enabled | Batches inbound messages on the server side before sending them to subscribers based on the configured policy. |
+| Cancel | Discards changes and closes the dialog without saving the new rule.|
 
 ### Protocol adapter settings
 
@@ -41,10 +41,24 @@ The following explains the configuration support for various communication proto
 
 | Settings  | Description |
 | --------- | ----------- |
-| **Pusher protocol support** | Provides compatibility with the Pusher protocol. |
-| **PubNub protocol support** | Provides compatibility with the PubNub protocol. |
-| **MQTT protocol support** | Provides compatibility with the MQTT protocol. |
+| Pusher protocol support | Provides compatibility with the Pusher protocol. |
+| PubNub protocol support | Provides compatibility with the PubNub protocol. |
+| MQTT protocol support | Provides compatibility with the MQTT protocol. |
 
 ### Actions
 
 **Delete this app now** to permanently delete your app including your message history, statistics and prevent access to Ably with any of the API keys assigned to this app.
+
+#### How to delete an app
+
+<Aside data-type='warning'>
+This will permanently delete your app and any data related to it including namespaces and rules. Please be absolutely sure that you want to do this before proceeding.
+</Aside>
+
+To delete an application:
+
+1. Go to your [app dashboard](https://ably.com/accounts) and select the app you want to delete
+2. Navigate to the **Settings** tab  
+3. Scroll to the bottom of the page to find the **Delete this app now** button
+4. Click the delete button and confirm the action when prompted
+5. You will be redirected back to your app dashboard
diff --git a/src/pages/docs/platform/account/app/stats.mdx b/src/pages/docs/platform/account/app/stats.mdx
index a5b2f6eb4a..890b60b0a7 100644
--- a/src/pages/docs/platform/account/app/stats.mdx
+++ b/src/pages/docs/platform/account/app/stats.mdx
@@ -18,19 +18,21 @@ The following explains the statistics table metrics:
 
 | Metric | Description |
 |--------|-------------|
-| **Messages (billable)** | Total number of messages used. |
-| **Messages published (REST & Realtime)** | Number of messages sent via REST and Realtime. |
-| **Messages received (Realtime)** | Number of messages received. |
-| **Messages persisted (history)** | Number of messages retrieved from history. |
-| **Messages retrieved (history)** | Number of messages retrieved from history. |
-| **Presence events (REST & Realtime)** | Number of presence-related events via REST and Realtime. |
-| **Webhook / Function** | Number of messages transferred through functions and webhooks. |
-| **Ably Queue** | Number of messages transferred through queues. |
-| **Firehose** | Number of messages transferred through Firehose. |
-| **Push notifications** | Number of push notifications sent. |
-| **Data transferred** | Amount of data transferred, in bytes. |
-| **Peak connections** | Highest number of concurrent connections. |
-| **Peak channels** | Highest number of concurrent channels. |
+| Messages (billable) | Total number of messages used. |
+| Messages published (REST & Realtime) | Number of messages sent via REST and Realtime. |
+| Messages received (Realtime) | Number of messages received. |
+| Messages persisted (history) | Number of messages retrieved from history. |
+| Messages retrieved (history) | Number of messages retrieved from history. |
+| Presence events (REST & Realtime) | Number of presence-related events via REST and Realtime. |
+| Webhook / Function | Number of messages transferred through functions and webhooks. |
+| Ably Queue | Number of messages transferred through queues. |
+| Firehose | Number of messages transferred through Firehose. |
+| Push notifications | Number of push notifications sent. |
+| Data transferred | Amount of data transferred, in bytes. |
+| Peak connections | Highest number of concurrent connections. |
+| Peak channels | Highest number of concurrent channels. |
+
+The "This month (actual)" column displays your actual usage to date, while the "This month (forecast)" column shows an estimated projection of your expected usage for the month based on current usage patterns.
 
 <Aside data-type='note'>
 Download or view detailed app statistics for a more granular analysis, enabling deeper dives into specific metrics as needed.
@@ -46,3 +48,5 @@ The following explains how to use the statistics chart:
 
 * **Duration**: Define a specific time range for the statistics you want to view. This enables you to focus on periods of particular interest. For example, set the time range from "2024-06-17 00:00" to "2024-08-06 11:18" to analyze data within that period.
 * **Zoom**: Use preset zoom options (1h, 8h, 24h, 7d, 1m, 6m, 1y, all) to adjust the chart's view to different periods, enabling you to analyze data at various granularities.
+
+Statistics can be filtered by start time, end time, and time interval. However, filtering by channel, namespace, event names, or other specific details is not currently supported.
diff --git a/src/pages/docs/platform/account/index.mdx b/src/pages/docs/platform/account/index.mdx
index c9883556ce..0bbcd6c0e0 100644
--- a/src/pages/docs/platform/account/index.mdx
+++ b/src/pages/docs/platform/account/index.mdx
@@ -8,7 +8,25 @@ redirect_from:
 
 Manage all aspects of your account, from Two-factor authentication ([2FA](/docs/platform/account/2fa)) and billing to user management and personal preferences.
 
-Begin by [logging](https://ably.com/login) in to Ably through your browser. Once you're logged in, you have access to the Ably dashboard, where you can click on the **Account** navigation dropdown to access the account settings:
+## Account and App relationship
+
+When you sign up to Ably, you are set up with an account that contains one or more applications (apps). The account acts as the top-level container with the following structure:
+
+Your account contains:
+- A subscription package (free or paid) that determines usage limits like maximum concurrent connections and messages per month.
+- One or more [users](/docs/platform/account/users) with defined roles, including at least one account owner.
+- One or more [applications](/docs/platform/account/app).
+- [Usage statistics](/docs/metadata-stats/stats#account) aggregated from all apps within the account.
+
+Each app within your account contains:
+- App-specific [usage statistics](/docs/metadata-stats/stats#app).
+- A set of [API keys](/docs/platform/account/app/api) for authentication.
+- [Channel rules](/docs/channels#rules) and namespace configurations.
+- App-specific [settings](/docs/platform/account/app/settings).
+
+Limits and billing are managed at the account level, while app-specific configurations like API keys and channel rules are managed per application.
+
+Begin by [logging](https://ably.com/login) in to Ably through your browser. Once you're logged in, you have access to the Ably dashboard, where you can click on the Account navigation dropdown to access the account settings:
 
 ![Ably Account Settings](../../../../images/content/screenshots/dash/account.png)
 
@@ -48,7 +66,7 @@ Monitor your account's resource consumption with detailed usage statistics:
 
 Manage the [users](/docs/platform/account/users) associated with your account:
 
-* The account owner role has full permissions to manage the account, including inviting and removing users, and assigning roles like **developer**, **billing**, or **admin**.
+* The account owner role has full permissions to manage the account, including inviting and removing users, and assigning roles like developer, billing, or admin.
 * Multiple roles can be assigned to a single user.
 * Remove, or change user roles within an Ably account.
 
@@ -62,6 +80,66 @@ Control personal account settings:
 * Customize Ably email preferences (product updates, news, educational emails)
 * Set up notifications for account usage.
 
+#### Change your username or email
+
+To change your name or email address:
+
+1. Sign in to your Ably account.
+2. Go to [My Settings](https://ably.com/users/edit).
+3. Edit the Name or Email fields as needed.
+4. Click Update my personal settings to save your changes.
+
+<Aside data-type='note'>
+Users provisioned through SCIM cannot modify their name or email address within Ably. These updates must be made through your identity provider.
+</Aside>
+
+#### Manage email preferences
+
+To manage your email preferences for marketing, product updates, and account quota/usage/limit alerts:
+
+1. Sign in to your Ably account.
+2. Go to [My Settings](https://ably.com/users/edit).
+3. Scroll to the Email preferences section.
+4. Select or deselect the types of emails you want to receive:
+   * Product updates and feature announcements.
+   * Educational content and best practices.
+   * Marketing communications and news.
+5. Configure Account notifications for usage alerts and quota limits.
+6. Click Update my personal settings to save your preferences.
+
+Email notifications for account quotas and limits are sent when you're nearing a limit and when you've exceeded it. These notifications help you monitor your usage and avoid service disruptions.
+
+## Email verification <a id="email-verification"/>
+
+Ably requires all email addresses to be verified for security purposes. When you log in with an unverified email address, you'll see a banner prompting you to verify your email address.
+
+### How to verify your email
+
+To verify your email address:
+
+1. Log in to your Ably account.
+2. Click the verification link in the banner or check your email for a verification message from Ably.
+3. Click the verification link in the email (links expire after 24 hours).
+4. Your email address will be verified and the banner will disappear.
+
+### Social media authentication
+
+If you authenticate through a social media account (Google, GitHub):
+
+- If you use the same email for both your social account and Ably, no additional verification is needed
+- If you change your email on the social platform or choose a different email during Ably registration, you'll need to verify the email address with Ably
+
+### Unverified email limitations
+
+With an unverified email address, you can still use the Ably platform but with the following restrictions:
+
+- Cannot invite new users to your account.
+- Cannot modify 2FA settings (existing 2FA continues to work normally).
+
+### SSO and enterprise authentication
+
+Users who authenticate through Single Sign-On (SSO) via SAML or enterprise integrations automatically have verified email addresses and don't need to complete additional verification steps.
+
 ### My Access tokens
 
 Create access tokens for the [Control API:](/docs/platform/account/control-api)
@@ -69,3 +147,23 @@ Create access tokens for the [Control API:](/docs/platform/account/control-api)
 * Users can create new tokens by providing a descriptive name, assigning an account, selecting capabilities, and securely storing the token once generated.
 * Users can revoke existing tokens through the settings section, but this action is irreversible and will immediately invalidate the token for API access.
 * After a token is created, the full token cannot be viewed again, so it must be securely stored upon generation.
+
+### Heroku add-on access
+
+If you are using Ably as a Heroku add-on, accessing your dashboard works differently:
+
+1. Login to Heroku as it acts as your Single Sign-On (SSO) provider.
+2. Click on the Ably add-on from your Heroku dashboard.
+3. You will be automatically redirected to your Ably app dashboard.
+
+Once in your Ably dashboard, you can view live statistics, manage API keys, configure channel rules, set up webhooks, and use the developer console.
+
+### AWS Marketplace sign-in issues
+
+If you purchased Ably through the AWS Marketplace and are experiencing sign-in issues:
+
+1. Make sure you're logged out of Ably
+2. Complete the AWS registration process with an alternative email address
+3. Invite your personal account to be an admin of the AWS account
+
+If you continue experiencing issues, contact [Ably support](https://ably.com/support) for assistance.
diff --git a/src/pages/docs/platform/account/sso.mdx b/src/pages/docs/platform/account/sso.mdx
index 32aac9346b..7b0bd08973 100644
--- a/src/pages/docs/platform/account/sso.mdx
+++ b/src/pages/docs/platform/account/sso.mdx
@@ -43,10 +43,10 @@ In your Ably account dashboard:
 1. Log in to your [account](https://ably.com/accounts/any).
 2. Select **Settings** from the account navigation dropdown.
 3. Complete the SSO fields with the values obtained from Okta:
-    * **Identity Provider Single Sign-On URL**
-    * **Identity Provider Issuer**
-    * **X.509 Certificate**
-4. **Save** the authentication settings.
+    * Identity Provider Single Sign-On URL
+    * Identity Provider Issuer
+    * X.509 Certificate
+4. Save the authentication settings.
 
 ### Google Workspace <a id="google"/>
 
@@ -65,17 +65,17 @@ Use the [Google Workspace guide](https://support.google.com/a/answer/6087519?hl=
 
 1. Upload the Ably logo.
 2. Copy and paste the metadata configuration into your Ably account:
-    * **Identity Provider Single Sign-On URL**
-    * Use **Entity ID** from Google Workspace as the **Identity Provider Issuer** in your Ably account.
-    * **X.509 Certificate**
-3. **Save** the authentication setting changes in your Ably account.
+    * Identity Provider Single Sign-On URL
+    * Use Entity ID from Google Workspace as the Identity Provider Issuer in your Ably account.
+    * X.509 Certificate
+3. Save the authentication setting changes in your Ably account.
 4. Copy and paste the SAML settings from your Ably account into Google Workspace:
-    * Use **Single sign on URL** from your Ably account as the **ACS URL** in Google Workspace.
-    * Use **SP Entity Id** from your Ably account as the **Entity ID** in Google Workspace.
-    * Use **Entity ID** from Google Workspace as the **Identity Provider Issuer** in your Ably account.
-    * Select **EMAIL** for the **Name ID format** field.
-    * Select **Basic Information > Primary Email** for the **Name ID** field.
-5. Ably requires users' full names, so ensure **first_name** and **last_name** are populated.
+    * Use Single sign on URL from your Ably account as the ACS URL in Google Workspace.
+    * Use SP Entity Id from your Ably account as the Entity ID in Google Workspace.
+    * Use Entity ID from Google Workspace as the Identity Provider Issuer in your Ably account.
+    * Select EMAIL for the Name ID format field.
+    * Select Basic Information > Primary Email for the Name ID field.
+5. Ably requires users' full names, so ensure first_name and last_name are populated.
 6. Assign users to the newly created Google Workspace application.
 7. Test the SSO connection from Google Workspace.
 
@@ -85,7 +85,7 @@ Google Workspace **alone** does not natively support SCIM.
 
 ## Strict mode <a id="strict"/>
 
-Strict mode can be enabled to restrict access to your Ably account to only those users that authenticate with your identity provider. Users that attempt to log in using another method, such as their email address and password or a GitHub log in will be prompted to re-authenticate with your identity provider.
+Strict mode can be enabled to restrict access to your Ably account to only those users that authenticate with your identity provider. Users that attempt to log in using another method, such as their email address and password or a GitHub log in will see an "Authentication passthru" error and be prompted to re-authenticate with your identity provider.
 
 Strict mode ensures that Ably account access is handled by your identity provider. If a user is removed from your identity provider they will no longer be able to access the Ably account once their current session expires.
 
diff --git a/src/pages/docs/platform/account/users.mdx b/src/pages/docs/platform/account/users.mdx
index 39f58a7a48..b9218f3e0d 100644
--- a/src/pages/docs/platform/account/users.mdx
+++ b/src/pages/docs/platform/account/users.mdx
@@ -40,16 +40,58 @@ User roles have the following permissions:
 | Update billing information | - | ✓ | - | ✓ |
 | Manage [account package](https://ably.com/pricing) | - | - | - | ✓ |
 
+## View account users <a id="view"/>
+
+You can view which users have access to your account and their assigned roles. Only account owners and admins can view, add, or remove users.
+
+To view users on your account:
+
+1. Log in to your [account](https://ably.com/accounts/any).
+2. Select **Users** from the account navigation dropdown.
+3. View the list of users on the account and their assigned roles.
+
+The Users page displays all account users, their roles, and any pending invitations. The account owner is listed at the top of the users list and identified with the "Owner" role.
+
+#### Find the account owner
+
+To identify who the account owner is:
+
+1. Follow the steps above to view users on your account.
+2. Look at the top of the users list, the account owner will be listed first.
+3. The account owner will have the "Owner" role displayed next to their name.
+
+The account owner has special privileges including access to billing information and the ability to transfer account ownership.
+
 ### Change user roles <a id="change"/>
 
 The following steps add or remove roles from a user within an Ably account. You must be an account owner or admin to change user roles:
 
 1. Log in to your [account](https://ably.com/accounts/any).
-2. Select **Users** from the account navigation dropdown.
+2. Select Users from the account navigation dropdown.
 3. Click the checkboxes corresponding to the roles you want to add or remove.
 
-<Aside data-type='note'>
-Follow [this process](https://faqs.ably.com/can-i-change-my-ably-account-owner) to transfer account ownership.
+## Transfer account ownership <a id="transfer"/>
+
+To transfer account ownership to another user:
+
+1. Prepare the new owner:
+   * Ensure the new account owner is already an [admin user](#invite) on your account
+   * If 2FA is [enforced](/docs/platform/account/2fa#enforce) on your account, the new owner must have [2FA enabled](/docs/platform/account/2fa#enable) on their profile
+
+2. Request the transfer:
+   * The current account owner must email [support@ably.com](mailto:support@ably.com) requesting to change account ownership to an existing admin user
+   * Include the email address of the new account owner in your request
+
+3. Confirm the transfer:
+   * You will receive a confirmation email from support@ably.com
+   * Reply to confirm your intention to transfer ownership
+   * This confirmation step ensures the request is legitimate
+
+4. Complete the transfer:
+   * Ably support will transfer ownership and notify all parties of the change
+
+<Aside data-type='important'>
+Only the current account owner can initiate this process. The new owner must already be an admin user on the account before the transfer can be completed.
 </Aside>
 
 ## Invite a new user <a id="invite"/>
@@ -57,13 +99,13 @@ Follow [this process](https://faqs.ably.com/can-i-change-my-ably-account-owner)
 The following steps invite a new user to your account. You must be an account owner or admin to invite new users:
 
 1. Log in to your [account](https://ably.com/accounts/any).
-2. Select **Users** from the account navigation dropdown.
-3. Click **Invite new user**.
-4. Enter the user's first name and email address, then click **Invite**.
+2. Select Users from the account navigation dropdown.
+3. Click Invite new user.
+4. Enter the user's first name and email address, then click Invite.
 5. The user can then follow the instructions emailed to them to join your account.
 
 <Aside data-type='note'>
-You can view the status of pending invitations from the **Users** page. You can also re-send or revoke an invitation.
+You can view the status of pending invitations from the Users page. You can also re-send or revoke an invitation.
 </Aside>
 
 ## Remove users from an account <a id="remove"/>
@@ -71,8 +113,8 @@ You can view the status of pending invitations from the **Users** page. You can
 The following steps remove a user from your account. You must be an account owner or admin to remove users:
 
 1. Log in to your [account](https://ably.com/accounts/any).
-2. Select **Users** from the account navigation dropdown.
-3. Click the **Remove** button next to the user to remove from the account.
+2. Select Users from the account navigation dropdown.
+3. Click the Remove button next to the user to remove from the account.
 4. Confirm the action when prompted.
 
 ## Delete your profile or leave an account <a id="leave"/>
@@ -82,11 +124,11 @@ The following steps delete your profile or remove yourself from an Ably account:
 1. Log in to your [account](https://ably.com/accounts/any).
 2. Go to [My Settings](https://ably.com/users/edit).
 3. [Disconnect SSO provider](#sso) if you use SSO to log in.
-4. Scroll to **Want to delete your profile?**
-5. Click **Start** to remove yourself from this account.
+4. Scroll to Want to delete your profile?
+5. Click Start to remove yourself from this account.
 
 <Aside data-type='important'>
-**Account owners:** Deleting your profile will delete the entire account and all data. You must first [transfer ownership](https://faqs.ably.com/can-i-change-my-ably-account-owner) to another user before deleting your profile.
+Account owners: Deleting your profile will delete the entire account and all data. You must first [transfer ownership](#transfer) to another user before deleting your profile.
 </Aside>
 
 ## Close your account <a id="close"/>
@@ -104,24 +146,24 @@ You will not be able to delete your account until the 1st of the month following
 
 5. [Disconnect SSO provider](#sso) if you use SSO to log in.
 6. Go to your [My Settings](https://ably.com/users/edit) page.
-7. Scroll to **Want to delete your profile?**
+7. Scroll to Want to delete your profile?
 
 <Aside data-type='note'>
-If you are using an SSO login you'll see a **Contact us** link instead of a **Start** button. You'll need to [disconnect your SSO provider](#sso) first.
+If you are using an SSO login you'll see a Contact us link instead of a Start button. You'll need to [disconnect your SSO provider](#sso) first.
 </Aside>
 
-8. Click **Start** to proceed with permanently closing your account.
-9. On the proceeding **Close Your Ably Account** page, review the accounts for closure.
-10. Click **Close Account** to permanently deactivate your account.
+8. Click Start to proceed with permanently closing your account.
+9. On the proceeding Close Your Ably Account page, review the accounts for closure.
+10. Click Close Account to permanently deactivate your account.
 
 ### Disconnect SSO provider <a id="sso"/>
 
 If you use SSO (Single Sign-On) to log in to your Ably account, you must first set a password and disconnect your SSO provider before closing your account. The self-service account closure process requires a password to authenticate the closure request. The following steps set a password and disconnect your SSO provider:
 
 1. Log in to your [account](https://ably.com/accounts/any) using your current SSO method (Google or GitHub).
-2. Navigate to **Account** then [My Settings.](https://ably.com/users/edit)
-3. In the **Password** section, click **Change your password**.
-4. Click **Update my personal settings** to save the changes.
-5. Scroll to the **Login provider** section.
-6. Click **remove connection** next to the SSO provider/s you want to disconnect.
+2. Navigate to Account then [My Settings.](https://ably.com/users/edit)
+3. In the Password section, click Change your password.
+4. Click Update my personal settings to save the changes.
+5. Scroll to the Login provider section.
+6. Click remove connection next to the SSO provider/s you want to disconnect.
 7. After completing these steps, return to the instructions above to [close your account](#close).
diff --git a/src/pages/docs/platform/architecture/edge-network.mdx b/src/pages/docs/platform/architecture/edge-network.mdx
index 7133213aec..6eb3d5567c 100644
--- a/src/pages/docs/platform/architecture/edge-network.mdx
+++ b/src/pages/docs/platform/architecture/edge-network.mdx
@@ -142,3 +142,73 @@ The health monitoring system also feeds into the automated traffic routing syste
 All Ably infrastructure scales on demand so as to be able to handle the ambient traffic level. The infrastructure is typically provisioned with significant headroom above current demand, ensuring that sudden increases in traffic can be accommodated without impacting service quality. Additionally, the auto-scaling capabilities of the cloud infrastructure allow for dynamic adjustments to capacity based on realtime demand.
 
 For planned high-traffic events with anticipated usage spikes, additional capacity can be provisioned in advance to ensure that all traffic can be handled seamlessly. The operations team works with customers to understand their traffic expectations and ensure that all relevant infrastructure components are provisioned for significant events.
+
+## Firewall and network configuration <a id="firewall"/>
+
+If you need to configure firewalls or network security devices to allow connections to Ably, the following information will help you set up the necessary rules.
+
+### Ports
+
+Ably's client libraries use the following ports:
+
+* **Port 443** - HTTPS traffic over TLS (primary for all WebSocket and HTTP connections)
+* **Port 80** - HTTP traffic (only when TLS is explicitly disabled, not recommended)
+
+**Protocol adapters and integrations use additional ports:**
+
+* **Port 5671** - Ably queues over AMQP (TLS only)  
+* **Port 61614** - Ably queues over STOMP (TLS only)
+* **Port 8883** - MQTT adapter over TLS
+* **Port 1883** - MQTT adapter unencrypted (not recommended)
+
+<Aside data-type='warning'>
+Using unencrypted connections (ports 80 and 1883) is not recommended and is disabled by default in all client libraries for security reasons.
+</Aside>
+
+### Domains and endpoints
+
+**Core Ably endpoints:**
+
+* `rest.ably.io` - REST API requests
+* `realtime.ably.io` - Realtime WebSocket connections  
+* `a.ably-realtime.com` through `e.ably-realtime.com` - Fallback hosts for reliability
+
+**Additional connectivity endpoints:**
+
+* `internet-up.ably-realtime.com` - General connectivity checks
+* `ws-up.ably-realtime.com` - WebSocket connectivity checks (ably-js v2)
+
+**Protocol adapter endpoints:**
+
+* `mqtt.ably.io` - MQTT adapter
+* `pubnub-rest.ably.io` - PubNub adapter  
+* `pusher-rest.ably.io` and `pusher-realtime.ably.io` - Pusher adapter
+* `us-east-1-a-queue.ably.io` - Ably Queues (US East 1)
+* `eu-west-1-a-queue.ably.io` - Ably Queues (EU West 1)
+
+### DNS CNAME records
+
+Ably's default endpoints use DNS CNAME records with the following targets:
+
+* `rest.ably.io` and `realtime.ably.io` → `main.realtime.ably.net`
+* `a.ably-realtime.com` → `main.a.fallback.ably-realtime.com`  
+* `b.ably-realtime.com` → `main.b.fallback.ably-realtime.com`
+* `c.ably-realtime.com` → `main.c.fallback.ably-realtime.com`
+* `d.ably-realtime.com` → `main.d.fallback.ably-realtime.com`
+* `e.ably-realtime.com` → `main.e.fallback.ably-realtime.com`
+
+<Aside data-type='note'>
+Future SDK releases may directly reference the CNAME target values. Consider adding both the endpoint domains and their CNAME targets to your allow lists for forward compatibility.
+</Aside>
+
+### IP addresses
+
+<Aside data-type='important'>
+Ably cannot provide static IP addresses for the cloud-based service as the infrastructure is elastic and IP addresses are reassigned dynamically as part of normal operations. You must use domain-based allowlisting rather than IP-based rules.
+</Aside>
+
+### Enterprise customers
+
+<Aside data-type='note'>
+Enterprise customers with custom configurations may have different endpoint domains. Contact [Ably support](https://ably.com/support) to confirm the specific domains for your account configuration.
+</Aside>
diff --git a/src/pages/docs/platform/errors/codes.mdx b/src/pages/docs/platform/errors/codes.mdx
index d820806a99..547066defc 100644
--- a/src/pages/docs/platform/errors/codes.mdx
+++ b/src/pages/docs/platform/errors/codes.mdx
@@ -53,7 +53,7 @@ This error occurs when [revocation](/docs/auth/revocation#revocable-tokens) is e
 ## 40005: Invalid credentials <a id="40005"/>
 
 This error occurs when the [API key](/docs/auth#api-keys) or [token](/docs/auth/token) used to initialize the library is invalid.
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 
 * API key initialization:
 ** Ensure you are the account's **admin** or **owner**.
@@ -98,7 +98,7 @@ This error occurs when the SDK is unable to encode the [message payload](/docs/m
 
 An example of this error is when a client attempts to publish a payload that includes something that isn't serializable by an Ably SDK.
 
-**Resolution:** Try marshalling the payload as JSON or MsgPack before publishing.
+Resolution: Try marshalling the payload as JSON or MsgPack before publishing.
 
 ## 40015: Invalid deviceId <a id="40015"/>
 
@@ -141,7 +141,7 @@ This error occurs when the requested resource is invalid or already exists. It i
 
 Examples of this error include attempting to create a resource that already exists or providing an invalid resource name.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Ensure that an app with the requested name does not already exist in your account. If it does, use a different name.
 * Verify that the [capabilities](/docs/auth/capabilities#capability-operations) listed in the request are valid when creating an API key.
 
@@ -151,7 +151,7 @@ This error occurs when the requested operation is only available in a newer vers
 
 Examples of this error include attempting to use [channel objects](/docs/liveobjects) or message annotations, updates and deletes from an Ably SDK that does not support protocol version 2.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Upgrade the Ably SDK to a version that supports the requested operation.
 
 ## 40030: Invalid publish request (unspecified) <a id="40030"/>
@@ -162,7 +162,7 @@ This error occurs when a [publish request](/docs/pub-sub#publish) is malformed.
 
 This error occurs when a published message contains arbitrary fields in the [`extras`](/docs/api/realtime-sdk/messages#extras) payload that are not allowed by the Ably service. The `extras` field is reserved for specific objects related to Ably.
 
-**Resolution:** Place any additional data inside the `headers` field within `extras`. The `headers` field must be a flat object (`map<string, string>` or equivalent) with no nested structures. If using unenveloped Reactor rules, ensure that header names are in `ASCII`, as they will be converted into HTTP, AMQP, or other protocol headers.
+Resolution: Place any additional data inside the `headers` field within `extras`. The `headers` field must be a flat object (`map<string, string>` or equivalent) with no nested structures. If using unenveloped Reactor rules, ensure that header names are in `ASCII`, as they will be converted into HTTP, AMQP, or other protocol headers.
 
 The following example is a valid `extras` object:
 
@@ -187,7 +187,7 @@ This error occurs when [authentication](/docs/auth) credentials are invalid. The
 
 An example of this error is when a signed token request is invalid due to a mismatched cryptographic signature (MAC does not match) or when the `clientId` specified in the Ably SDK does not match the `clientId` in the access token.
 
-**Resolution:** Review your authentication setup and token request implementation. Ensure the following:
+Resolution: Review your authentication setup and token request implementation. Ensure the following:
 
 * The cryptographic signature (MAC) is correct - If a signed token request is invalid, Ably will reject it.
 * The API key used to generate the token request is accurate - Double-check for missing or extra characters.
@@ -219,13 +219,13 @@ This error occurs when an API key is used over a non-TLS (unencrypted) connectio
 
 Non-TLS transports can be inspected by network devices routing traffic between the client and Ably. Ably does not allow API key authentication over non-TLS connections. However, Ably supports [basic authentication](/docs/auth/basic) over TLS and [token authentication](/docs/auth/token) over non-TLS connections.
 
-**Resolution:** Select the appropriate [authentication mechanism](/docs/auth#selecting-auth) for your use case.
+Resolution: Select the appropriate [authentication mechanism](/docs/auth#selecting-auth) for your use case.
 
 ## 40104: Timestamp not current <a id="40104"/>
 
 This error occurs when a signed token request sent to Ably is too old. Ably enforces timestamp validation to ensure [`TokenRequest`](/docs/auth/token#token-request) remain valid for a limited time, reducing the risk of interception and misuse.
 
-**Resolutions:** The following steps can help resolve this issue:
+Resolutions: The following steps can help resolve this issue:
 * Ensure that the authentication servers clock is accurate when generating signed token requests.
 * If time synchronization is unreliable, set the `queryTime` [ClientOptions](/docs/api/rest-sdk/types#client-options) object to true when initializing the Ably client. This ensures Ably's server time is used.
 * Do not cache signed token requests on the authentication server or client. Each token request must be freshly generated and used immediately.
@@ -254,7 +254,7 @@ var ably = new Ably.Realtime({
 ```
 </Code>
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Ensure that each token request is unique and never cached by the authentication server or client.
 * Always generate a new token request each time authCallback is invoked.
 * If retrieving a token request over HTTP, prevent caching by using the Cache-Control header (no-cache, no-store, must-revalidate) or by adding a cache-busting query string parameter, where the number is regenerated for every request, for example, `?rnd=73849275`.
@@ -280,7 +280,7 @@ This error occurs when your account has exceeded the concurrent [channel limit](
 
 Examples of this error are when the application attempts to open more channels than the account allows, causing new channel creation to be blocked. Also, during development, an implementation error or bug causes unintended channel creation, leading to the limit being reached.
 
-**Resolution:** Detach unused channels to free up space for new ones.
+Resolution: Detach unused channels to free up space for new ones.
 
 ## 40115: Account restricted (request limit exceeded) <a id="40115"/>
 
@@ -298,7 +298,7 @@ This error occurs when the application has reached the maximum number of [API ke
 
 This error occurs when the [Ably API key](/docs/auth#api-keys) used to initialize the SDK is no longer valid because it has been [revoked](/docs/auth/revocation) by an admin of the application.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * If you are an admin, go to the [API keys tab](/docs/platform/account/app/api) in the Ably dashboard to check for valid keys. Use an existing valid key or create a new one with the necessary permissions.
 * If you are not an admin, request a new API key from an administrator or obtain a token request generated with a valid key.
 
@@ -306,7 +306,7 @@ This error occurs when the [Ably API key](/docs/auth#api-keys) used to initializ
 
 This error occurs when the [Ably API key](/docs/auth#api-keys) used to authorize a token [revocation](/docs/auth/revocation) request does not match the key that originally issued the token.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Ensure that the public API key ID used in the request matches the key that originally issued the token.
 * Verify that the `keyname` in the request path corresponds with the API key used for authentication.
 
@@ -314,7 +314,7 @@ This error occurs when the [Ably API key](/docs/auth#api-keys) used to authorize
 
 This error occurs when attempting to authenticate with a [token](/docs/auth/token) that has been [revoked](/docs/auth/revocation) and is no longer valid.
 
-**Resolution:** Ensure that you are using a valid, [non-revoked](/docs/auth/revocation). token for authentication. If needed, generate a new token and use it for authorization.
+Resolution: Ensure that you are using a valid, [non-revoked](/docs/auth/revocation). token for authentication. If needed, generate a new token and use it for authorization.
 
 ## 40142: Token expired <a id="40142"/>
 
@@ -322,7 +322,7 @@ This error occurs when the authentication [token](/docs/auth/token#refresh) has
 
 An example of this error is when a client attempts to authenticate with a token that has exceeded its time-to-live (TTL).
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Use [`authUrl`](/docs/auth/token#auth-url) or [`authCallback`](/docs/auth/token#auth-callback) in your client configuration to enable automatic token renewal.
 * If `authUrl` or `authCallback` is correctly configured, the client SDK will automatically renew the token when needed, so you may see this error temporarily before renewal occurs.
 
@@ -332,7 +332,7 @@ This error occurs when the provided token is not recognized as a valid Ably [tok
 
 An example of this error is when a JWT is incorrectly formatted or when an Ably token does not follow the expected structure, for example: `<appId>.<randomBytes>`. Any token that does not adhere to the correct format will not be recognized.
 
-**Resolution:** Validate the token format before using it for authentication. If creating a [JWT](/docs/auth/token#jwt), use a standard JWT library to ensure correct generation. If using an Ably token, verify that it matches the expected format as returned from the [`requestToken`](/docs/api/token-request-spec#examples) endpoint.
+Resolution: Validate the token format before using it for authentication. If creating a [JWT](/docs/auth/token#jwt), use a standard JWT library to ensure correct generation. If using an Ably token, verify that it matches the expected format as returned from the [`requestToken`](/docs/api/token-request-spec#examples) endpoint.
 
 ## 40144: Unexpected error decoding JWT; decode exception <a id="40144"/>
 
@@ -353,7 +353,7 @@ This error occurs when the client does not have permission to perform the reques
 
 An example of this error is when a token request includes an empty [capability object](/docs/auth/capabilities#capabilities-token), for example: `({})`, meaning the client has no assigned permissions, or when the requested [resource](/docs/auth/capabilities#wildcards) does not match the API key's allowed capabilities.
 
-**Resolution:** Ensure the [API key](/docs/auth#api-keys) supports the required [capabilities](/docs/auth/capabilities#capabilities-key) for the requested action.
+Resolution: Ensure the [API key](/docs/auth#api-keys) supports the required [capabilities](/docs/auth/capabilities#capabilities-key) for the requested action.
 
 ## 40161: Access denied to channel: namespace requires identified clients <a id="40161"/>
 
@@ -365,7 +365,7 @@ This error occurs when an authentication attempt using [`authUrl`](/docs/auth/to
 
 Examples of this error include when a `TokenRequest` callback times out after the default 10-second limit. Also, when he `authUrl` response is missing a Content-Type header has an unsupported Content-Type.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Check for network latency between the client and the authentication server.
 * Ensure the authentication server returns a valid Content-Type header and one of the supported content types:
 ** `application/json`
@@ -379,7 +379,7 @@ This error occurs when no [`authUrl`](/docs/auth/token#auth-url) or [`authCallba
 
 Tokens have a set expiration time, and once expired, they are no longer valid for communication with Ably. If `authUrl` or `authCallback` is configured, the SDK will automatically request a new token before expiration, ensuring uninterrupted operation.
 
-**Resolution:** Ensure that `authUrl` or `authCallback` is set in your client configuration. This allows the SDK to automatically request a new token before the current one expires.
+Resolution: Ensure that `authUrl` or `authCallback` is set in your client configuration. This allows the SDK to automatically request a new token before the current one expires.
 
 ## 40300: Forbidden <a id="40300"/>
 
@@ -394,7 +394,7 @@ The following are example for this error:
 
 By default, Ably apps require [TLS](/docs/platform/account/app/settings#channel-rule-configuration) for connections. This error occurs when a realtime SDK attempts to connect with TLS disabled (tls: false) while using token authentication.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Ensure that the `tls` [`ClientOption`](/docs/api/realtime-sdk?#client-options) is set to true when connecting.
 * If using [API key](/docs/platform/account/app/api#create) authentication, note that this scenario will result in a [`40103`](#40103) error instead.
 
@@ -404,7 +404,7 @@ This error occurs when an app belonging to a dedicated (private) [cluster](/docs
 
 An example of this error is when an app configured for a private cluster tries to connect via the default global endpoint.
 
-**Resolution:** Check your custom environment settings for all connecting clients to ensure they point to the correct private cluster endpoints.
+Resolution: Check your custom environment settings for all connecting clients to ensure they point to the correct private cluster endpoints.
 
 ## 40331: Unable to activate account due to placement constraint (incompatible environment) <a id="40331"/>
 
@@ -414,7 +414,7 @@ If a request arrives at an unexpected dedicated cluster or incorrect region, the
 
 An example of this error is when a client intended for a dedicated environment, such as acme, connects to the default global endpoint (`realtime.ably.io`) instead of the correct dedicated cluster endpoint (`acme-realtime.ably.io`). If the expected environment is not configured, requests may be rejected.
 
-**Resolution:** Verify that all connecting clients are configured with the correct custom environment settings to ensure they are pointing to the intended dedicated cluster.
+Resolution: Verify that all connecting clients are configured with the correct custom environment settings to ensure they are pointing to the intended dedicated cluster.
 
 ## 40332: Unable to activate account due to placement constraint (incompatible site) <a id="40332"/>
 
@@ -422,7 +422,7 @@ This error occurs when attempting to connect to an app for an account restricted
 
 An example of this error is when a client attempts to connect to an Ably app restricted to the EU region but does not specify the EU environment in the SDK configuration.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Ensure you are configured with the correct environment for your [region-restricted](https://faqs.ably.com/do-you-have-an-option-to-keep-my-data-in-europe-or-the-united-states) account.
 * If your account has a regional constraint, you should have been provided with a [custom](/docs/platform/account/enterprise-customization#setting-up-a-custom-environment) environment to pass to the [`ClientOptions`](/docs/getting-started/setup#options).
 * Verify that your connection settings match the region assigned to your account.
@@ -449,6 +449,12 @@ This error occurs when a [limit](/docs/platform/pricing/limits) on your account
 
 An example of this error is when a client exceeds the maximum allowed message rate on a channel.
 
+Resolution: To avoid hitting the channel message rate limit, you can:
+
+* Distribute your message load across several channels instead of publishing all messages to a single channel. This allows you to stay within the per-channel limit while maintaining higher overall throughput.
+* Configure [server-side batching](/docs/messages/batch#server-side) to group multiple messages into single batches, which reduces the effective message rate and can help avoid rate limits while also reducing costs.
+* Contact [sales@ably.com](mailto:sales@ably.com) if you need a higher per-channel rate limit than the standard 50 messages per second.
+
 In the following example, the metric `channel.maxRate` represents the maximum rate of messages allowed to be published on a channel per second. The permitted rate is 5000 messages per second, but the client is attempting to publish 5015 messages per second, triggering the limit.
 
 <Code>
@@ -463,7 +469,7 @@ scope = channel:[YOUR APP ID]:[YOUR CHANNEL]
 ```
 </Code>
 
-**Resolution:** Wait for the rate limit period to reset before retrying. Optimize your message publishing to stay within allowed limits. Upgrade your package if higher throughput is required. Review your account limits to determine which restriction has been hit.
+Resolution: Wait for the rate limit period to reset before retrying. Optimize your message publishing to stay within allowed limits. Upgrade your package if higher throughput is required. Review your account limits to determine which restriction has been hit.
 
 ## 42911: Maximum account-wide instantaneous messages rate exceeded <a id="42911"/>
 
@@ -473,7 +479,7 @@ This error occurs when the number of [messages](/docs/platform/pricing/limits#me
 
 This error occurs when multiple concurrent [metadata REST requests](/docs/metadata-stats/metadata#rest) are made to retrieve a list of active channels. The API is rate-limited, allowing only one in-flight call at a time. Additional concurrent requests will be rejected with this error.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Ensure that only one request is in progress at any given time.
 * Implement request queuing or backoff strategies to avoid sending concurrent calls.
 * If you require enhanced channel [enumeration capabilities](/docs/api/rest-api#enumeration-rest), visit this page to request access to the preview API.
@@ -511,7 +517,7 @@ This error occurs as a result of a request not being handled due to an internal
 
 This error occurs when you previously [activated](/docs/push/configure/device#activate-devices) a device for push notifications with a specific `clientId`, but then changed the `clientId` used for authentication. The mismatch causes the error because the push notification setup tracks the `clientId` and other details to prevent accidental changes between app launches. The `clientId` is linked to registrations, such as subscribing by `clientId`.
 
-**Resolution:** If you need to change your client's `clientId`, deactivate and reactivate the device. This process triggers an internal `device.reset()` call, which clears and resets the old device details.
+Resolution: If you need to change your client's `clientId`, deactivate and reactivate the device. This process triggers an internal `device.reset()` call, which clears and resets the old device details.
 
 ## 70001: Reactor operation failed (POST operation failed) <a id="70001"/>
 
@@ -531,7 +537,7 @@ This error occurs when the rule worker is unable to access or retrieve data from
 
 An example of this error is misconfigurations in the database setup or inconsistencies between the provided configuration and the actual database schema or table names.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Verify the configuration of the outbox and nodes tables in the database to ensure they are correctly set up and match the rule definition.
 * Check for database connectivity issues and confirm that the database is accessible.
 * Ensure that the schema and table names align with the expected configuration.
@@ -540,7 +546,7 @@ An example of this error is misconfigurations in the database setup or inconsist
 
 This error occurs when a [MongoDB Change Stream](https://www.mongodb.com/docs/manual/changeStreams/#change-streams) event does not contain the required `_ablyChannel` field after being processed through the Change Stream pipeline. This field is essential for identifying the channel where the change event message will be published.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Ensure that the `_ablyChannel` field is present at the root level of the change event.
 * Avoid nesting it inside other sections, such as `$fullDocument._ablyChannel`.
 * The field must be part of the main structure of the change event to allow proper identification.
@@ -549,7 +555,7 @@ This error occurs when a [MongoDB Change Stream](https://www.mongodb.com/docs/ma
 
 This error occurs when the [MongoDB Change Stream](https://www.mongodb.com/docs/manual/changeStreams/#change-streams) fails to start due to an invalid pipeline. An example of this error is when the pipeline syntax does not conform to MongoDB's requirements or contains unrecognized operators.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Review the pipeline syntax for errors and ensure all operators are valid.
 * Adjust the pipeline to match MongoDB's accepted structure and syntax guidelines.
 
@@ -557,7 +563,7 @@ This error occurs when the [MongoDB Change Stream](https://www.mongodb.com/docs/
 
 This error occurs when the [MongoDB Change Stream](https://www.mongodb.com/docs/manual/changeStreams/#change-streams) cannot be resumed because the resume token document stored in MongoDB is not in the correct format.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Verify the format of the stored resume token document in MongoDB.
 * Ensure the token meets the expected structure and format required for MongoDB Change Stream resumption.
 * Refer to the MongoDB documentation for guidelines on properly storing and using resume tokens.
@@ -566,7 +572,7 @@ This error occurs when the [MongoDB Change Stream](https://www.mongodb.com/docs/
 
 This error occurs when the [MongoDB Change Stream](https://www.mongodb.com/docs/manual/changeStreams/#change-streams) resume token cannot be stored in the `ably` collection of the database.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Verify that the integration rule and MongoDB connection string are correctly configured.
 * Ensure the database user has the necessary read and write permissions for the `ably` collection.
 * Adjust permissions if needed to allow the token to be successfully stored.
@@ -589,7 +595,7 @@ This error occurs when a [connection](/docs/connect/states#connection-states) re
 
 If this error occurs, the client establishes a new connection instead of resuming the old one. Any messages sent during the gap will be missed, unless channel persistence is enabled.
 
-**Resolution:** Ensure that resume attempts occur within the two-minute window to successfully recover a connection. If message loss is a concern, use [history](/docs/api/realtime-sdk/history) to retrieve missed messages.
+Resolution: Ensure that resume attempts occur within the two-minute window to successfully recover a connection. If message loss is a concern, use [history](/docs/api/realtime-sdk/history) to retrieve missed messages.
 
 ## 80014: Connection timed out <a id="80014"/>
 
@@ -597,13 +603,13 @@ This error occurs when a realtime [connection](/docs/connect/states#connection-s
 
 The request will be automatically retried by the SDK.
 
-**Resolution:** If the client never connects to the [primary or fallback endpoints](https://faqs.ably.com/routing-around-network-and-dns-issues), check any firewall rules that may be blocking access to Ably's [endpoints](https://faqs.ably.com/if-i-need-to-whitelist-ablys-servers-from-a-firewall-which-ports-ips-and/or-domains-should-i-add).
+Resolution: If the client never connects to the [primary or fallback endpoints](https://faqs.ably.com/routing-around-network-and-dns-issues), check any firewall rules that may be blocking access to Ably's [endpoints](https://faqs.ably.com/if-i-need-to-whitelist-ablys-servers-from-a-firewall-which-ports-ips-and/or-domains-should-i-add).
 
 ## 80016: Operation on superseded connection <a id="80016"/>
 
 This error occurs when a browser [connection](/docs/connect/states#connection-states) upgrades from an HTTP (Comet) transport to WebSockets. It is logged by the client library when operations are performed on the older transport.
 
-**Resolution:** the following steps can help resolve this issue:
+Resolution: the following steps can help resolve this issue:
 * If this error only appears in logs, it is harmless and does not affect your application. No action is needed.
 * If you receive this error as a response to a request, contact Ably support with relevant logs and details, and they will investigate the issue.
 
@@ -611,7 +617,7 @@ This error occurs when a browser [connection](/docs/connect/states#connection-st
 
 This error occurs when a [connection](/docs/connect/states#connection-states) has been closed and an operation is attempted on it, such as calling a channel or presence method, for example, `channel.presence.update` while the connection is still in a closed state.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Check the client's connection state before performing operations to ensure the connection is active.
 * If the connection is closed, reconnect before making requests to avoid this error.
 
@@ -619,7 +625,7 @@ This error occurs when a [connection](/docs/connect/states#connection-states) ha
 
 This error occurs when an invalid `connectionId` is supplied.
 
-**Resolution:** If you are seeing resumes failing in ably-js, this was a known bug in ably-js versions 1.2.30 through 1.2.33. Upgrading to the latest version of ably-js should resolve the issue.
+Resolution: If you are seeing resumes failing in ably-js, this was a known bug in ably-js versions 1.2.30 through 1.2.33. Upgrading to the latest version of ably-js should resolve the issue.
 
 ## 80019: Auth server rejecting request <a id="80019"/>
 
@@ -629,7 +635,7 @@ This error occurs when the client library fails to obtain a token using the clie
 
 This error occurs when a client exceeds the [outbound](/docs/platform/pricing/limits#connection) subscribe message rate on a realtime connection.
 
-**Resolution:** The subscriber will receive an `UPDATE` [channel state change](/docs/api/realtime-sdk/channels#channel-state-change) event, indicating that continuity is lost. Use the [`resume`](/docs/connect/states#resume) flag to determine whether to recover missing messages or handle the failure accordingly.
+Resolution: The subscriber will receive an `UPDATE` [channel state change](/docs/api/realtime-sdk/channels#channel-state-change) event, indicating that continuity is lost. Use the [`resume`](/docs/connect/states#resume) flag to determine whether to recover missing messages or handle the failure accordingly.
 
 ## 80021: Max new connections rate exceeded <a id="80021"/>
 
@@ -639,13 +645,13 @@ This error occurs when the maximum allowed rate of new connections for an accoun
 
 This error can occur when using the Comet transport, where a `send` or `recv` request is sent to the system but reaches a different frontend instance than the one hosting the connection. This can happen due to a disruption on a frontend instance.
 
-**Resolution:** This is a non-fatal error, and no action is required. The transport will automatically drop and be re-initiated without any need for manual intervention.
+Resolution: This is a non-fatal error, and no action is required. The transport will automatically drop and be re-initiated without any need for manual intervention.
 
 ## 80023: Unable to resume connection from a different site <a id="80023"/>
 
 This error occurs when a disconnected client attempts to resume a [connection](/docs/connect) from a different site than the original connection. This typically happens when a client tries to [`resume`](/docs/connect/states#resume) via a fallback host.
 
-**Resolution:** Channel message continuity will not be possible in this scenario. Any messages sent while the client was disconnected will need to be retrieved using [history](/docs/storage-history/history).
+Resolution: Channel message continuity will not be possible in this scenario. Any messages sent while the client was disconnected will need to be retrieved using [history](/docs/storage-history/history).
 
 ## 90001: Channel operation failed (invalid channel state) <a id="90001"/>
 
@@ -653,7 +659,7 @@ This error occurs when an application attempts to perform an operation on a chan
 
 An example of this error is when an application tries to [publish](/docs/pub-sub#publish) a message or attach to a channel that is in a failed state due to a prior error. As a result, the operation fails because actions cannot be performed on a channel in this state.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Ensure the channel is in an appropriate state before performing any operations.
 * Use an Ably SDK to listen for channel state changes and handle operations accordingly.
 * Implement state change callbacks to trigger the intended operation when the channel is in a valid [state](/docs/channels/states).
@@ -668,13 +674,13 @@ This error occurs when a channel fails to [attach](/docs/channels/states#attach)
 
 Note: In older versions of the ably-java SDK, this error was incorrectly assigned to error code `91200`.
 
-**Resolution:** Adjust the `realtimeRequestTimeout` or `channelRetryTimeout` (depending on the SDK) to a higher value to allow more time for the attachment process.
+Resolution: Adjust the `realtimeRequestTimeout` or `channelRetryTimeout` (depending on the SDK) to a higher value to allow more time for the attachment process.
 
 ## 90010: Maximum number of channels per connection exceeded <a id="90010"/>
 
 This error occurs when a Realtime client [attaches](/docs/channels/states#attach) to more channels than the account allows on a single connection. This happens when channels are attached but never explicitly detached, causing the limit to be reached.
 
-**Resolution:** Review your channel [limits](/docs/platform/pricing/limits#channel) and ensure that channels are explicitly detached when no longer needed.
+Resolution: Review your channel [limits](/docs/platform/pricing/limits#channel) and ensure that channels are explicitly detached when no longer needed.
 
 ## 90021: Max channel creation rate exceeded <a id="90021"/>
 
@@ -697,7 +703,7 @@ This error occurs when the [maximum](/docs/platform/pricing/limits#hitting) numb
 
 This is a client-side issue that occurs when an up-to-date [presence](/docs/presence-occupancy/presence) set cannot be retrieved due to connection issues. It typically happens when calling `presence.get()` while the channel is in a suspended state, often caused by an interruption in the client's internet connection.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Ensure the client has an active connection before calling `presence.get()`.
 * If an outdated presence set is acceptable, set `waitForSync` to `false` to retrieve the presence data even when out of sync.
 
@@ -712,7 +718,7 @@ This error occurs when an object message used to represent [operations](/docs/li
 
 This error occurs when the maximum number of [objects](/docs/liveobjects) on the channel has exceeded the allowed [limit](/docs/platform/pricing/limits#channel) for the account or application.
 
-**Resolution:**
+Resolution:
 * Remove any unnecessary objects from the channel to free up space, for example by [removing](/docs/liveobjects/map#remove) any references to them.
 * [Upgrade](/docs/pricing) your package to increase the [limit](/docs/platform/pricing/limits#channel) on the allowed number of objects on the channel.
 
@@ -720,7 +726,7 @@ This error occurs when the maximum number of [objects](/docs/liveobjects) on the
 
 This error occurs when attempting to perform an [operation](/docs/liveobjects/concepts/operations) on a [tombstone](/docs/liveobjects/concepts/objects#tombstones) object (an object that has been marked as deleted).
 
-**Resolution:**
+Resolution:
 * Retry the operation on an object that is not a tombstone and is [reachable](/docs/liveobjects/concepts/objects#reachability) from the [root object](/docs/liveobjects/concepts/objects#root-object) .
 
 ## 92003: Unable to fetch object tree with tombstone object as root <a id="92003"/>
@@ -729,7 +735,7 @@ This error occurs when attempting to fetch an [object](/docs/liveobjects/concept
 
 You may encounter this error when [fetching objects](/docs/liveobjects/rest-api-usage#fetching-objects-get-children) via the REST API using the `children` query parameter, or if using the [compact](/docs/liveobjects/rest-api-usage#fetching-objects-compact) endpoint.
 
-**Resolution:**
+Resolution:
 * Retry the operation on an object that is not a tombstone and is [reachable](/docs/liveobjects/concepts/objects#reachability) from the [root object](/docs/liveobjects/concepts/objects#root-object) .
 
 ## 92004: Object not found <a id="92004"/>
@@ -738,7 +744,7 @@ This error occurs when attempting to access an [object](/docs/liveobjects/concep
 
 You may encounter this error when using the [REST API](/docs/liveobjects/rest-api-usage) or if calling methods on a [LiveMap](/docs/liveobjects/map) or [LiveCounter](/docs/liveobjects/map) instance that has been deleted.
 
-**Resolution:**
+Resolution:
 * Listen for [lifecycle events](/docs/liveobjects/lifecycle) on object instances to be notified when an object is deleted.
 * Retry the REST API request with a valid [object ID](/docs/liveobjects/rest-api-usage#updating-objects-by-id) or [path](/docs/liveobjects/rest-api-usage#updating-objects-by-path) that corresponds to an existing object.
 
@@ -746,14 +752,14 @@ You may encounter this error when using the [REST API](/docs/liveobjects/rest-ap
 
 This error occurs when no objects are found that match the specified [path](/docs/liveobjects/rest-api-usage#updating-objects-by-path) when using the REST API.
 
-**Resolution:**
+Resolution:
 * Ensure that the `path` is correctly specified and corresponds to an existing object.
 
 ## 92006: Unable to perform operation without objectId or path <a id="92006"/>
 
 This error occurs when attempting to perform an operation without providing either an [object ID](/docs/liveobjects/rest-api-usage#updating-objects-by-id) or [path](/docs/liveobjects/rest-api-usage#updating-objects-by-path) to identify the target object when using the REST API.
 
-**Resolution:**
+Resolution:
 * Ensure that the request includes either an `objectId` or a `path` parameter to specify the target object for the operation.
 
 ## 92007: Operation not processable on path <a id="92007"/>
@@ -762,14 +768,14 @@ This error occurs when the requested operation cannot be processed for the objec
 
 You may encounter this error when the type of the object located at the specified path does not support the specified operation (e.g. publishing a `COUNTER_INC` operation on a [LiveMap](/docs/liveobjects/map) instance).
 
-**Resolution:**
+Resolution:
 * Ensure that the operation is valid for the type of object at the specified path.
 
 ## 101000: Space name missing <a id="101000"/>
 
 This error occurs when calling [`spaces.get()`](/docs/spaces/space#options) without specifying a space name. The name parameter is required to retrieve a space.
 
-**Resolution:** Ensure that a valid space name is provided when calling `spaces.get()`:
+Resolution: Ensure that a valid space name is provided when calling `spaces.get()`:
 
 <Code>
 ```javascript
@@ -781,7 +787,7 @@ const space = await spaces.get('mySpaceName');
 
 This error occurs when calling a function that requires the client to be [entered](/docs/spaces/space#enter) into a space, but the client has not yet done so.
 
-**Resolution:** Ensure that `space.enter()` is called before performing operations that require the client to be inside the space:
+Resolution: Ensure that `space.enter()` is called before performing operations that require the client to be inside the space:
 
 <Code>
 ```javascript
diff --git a/src/pages/docs/platform/index.mdx b/src/pages/docs/platform/index.mdx
index dabedfdcad..73514638a8 100644
--- a/src/pages/docs/platform/index.mdx
+++ b/src/pages/docs/platform/index.mdx
@@ -24,9 +24,44 @@ Ably is engineered around the following four key principles to ensure the depend
 
 The Ably platform has fault-tolerant, highly-available, elastic global infrastructure for effortless scaling.
 
-It is built primarily on Amazon EC2 infrastructure. It runs in 7 physical data centers and utilizes 385 points of presence to ensure that there isn't a single point of failure, nor single point of congestion across the service. Ably is designed to route messages using the least amount of network hops to minimize latency and maximize performance for clients, regardless of their location.
+It is built primarily on Amazon's cloud infrastructure. Ably has servers distributed across more than 15 physical datacenters within the AWS network, with 700+ edge locations globally through AWS CloudFront, so that there isn't a single point of failure, nor single point of congestion across the service. Ably is designed to route messages using the least amount of network hops to minimize latency and maximize performance for clients, regardless of their location.
 
-Each data center scales independently to meet the load within that region. Load is dynamically assigned and reassigned across servers in realtime, and the service auto-heals and routes around network failures.
+Clients are automatically connected to the nearest datacenter to reduce latency, and each datacenter is physically isolated from the others, ensuring that a failure in one datacenter has no effect on any other datacenter.
+
+Each datacenter scales independently to meet the load within that region. Load is dynamically assigned and reassigned across servers in realtime, and the service auto-heals and routes around network failures.
+
+## Global network information <a id="network-info"/>
+
+For detailed information about Ably's global infrastructure:
+
+* View the [network map](https://ably.com/network) of Ably's datacenters and global points of presence.
+* Check the [status of datacenters](https://status.ably.io/) by region.
+* See [global round-trip latency statistics](https://ably.com/network/latency) measured externally by Uptrends.
+
+## Security <a id="security"/>
+
+Ably takes security seriously and has implemented comprehensive measures to protect the platform and user data. For detailed information about security measures, see the [edge network security documentation](/docs/platform/architecture/edge-network#protection-against-denial-of-service-attacks) and [encryption options](/docs/channels/options/encryption).
+
+### Reporting security vulnerabilities
+
+If you believe you have found a security or privacy vulnerability that could impact Ably or its users, report it immediately by following the [Vulnerability Disclosure Policy](https://ably.com/disclosure).
+
+#### How to report
+
+1. Submit detailed reports through the official disclosure process.
+2. Each report should explain one vulnerability with clear impact assessment.
+3. Include step-by-step reproduction instructions or proof of concept.
+4. Use responsible disclosure practices.
+
+#### Bug bounty program
+
+Ably operates a bug bounty program that rewards security researchers for legitimate vulnerability reports. Successful researchers are recognized on the [acknowledgements page](https://ably.com/acknowledgements).
+
+#### Legal protection
+
+Activities conducted in accordance with the vulnerability disclosure policy are considered authorized conduct. Ably will not initiate legal action against researchers operating in good faith within policy guidelines.
+
+For questions regarding coordinated disclosure, contact [security@ably.com](mailto:security@ably.com).
 
 ## Integrations <a id="integrations"/>
 
diff --git a/src/pages/docs/platform/pricing/limits.mdx b/src/pages/docs/platform/pricing/limits.mdx
index c8c59d8226..5093e7b866 100644
--- a/src/pages/docs/platform/pricing/limits.mdx
+++ b/src/pages/docs/platform/pricing/limits.mdx
@@ -78,6 +78,22 @@ Message limits relate to the number, rate and bandwidth of messages consumed acr
 
 Channel limits relate to the number, rate and membership of [channels](/docs/channels) on your account.
 
+### Why concurrent channel limits exist <a id="concurrent-limits"/>
+
+Unlike many other realtime platforms, Ably's architectural design ensures delivery of a high quality of service and continuity for clients across changing network conditions and datacenter conditions (such as scaling events, network disruption or hardware failures).
+
+In order to achieve 99.999% uptime, guaranteed message delivery, and reliable [message ordering](/docs/platform/architecture/message-ordering), Ably's system design can be considered "stateful". Every channel in the system is maintained by at least two nodes at any point in time, and in most cases many more nodes when clients connect through multiple datacenters. Ably ensures that a channel is active in each regional datacenter that has attached clients, for performance reasons and to avoid single point of failure design issues.
+
+This active management of each channel by nodes in the system allows Ably to:
+
+* Maintain [message ordering](/docs/platform/architecture/message-ordering) for each client publishing messages by using regional (datacenter) serial numbers, ensuring all messages arrive globally in the order they were published
+* Resume [connection state recovery](/docs/platform/architecture/connection-recovery) for clients that became disconnected by checking the serial numbers of the last received message by that client and retrieving all messages from RAM stored for that channel
+* Handle channel failure or intentional migration of channels between nodes without any loss of continuity
+
+The channel state that Ably maintains comes at a cost in terms of CPU and primarily RAM within the cluster. This is because every open channel is managed by at least two nodes and all messages published are stored in RAM on at least two nodes for a period of time. When clients connect to Ably using multiple datacenters and attach to shared channels, the number of server nodes managing these shared channels increases, with a corresponding increase in the number of copies of messages in RAM.
+
+Therefore, to provide the realtime platform-as-a-service economically to all customers, Ably charges customers based on the number of peak concurrent channels they use and imposes limits for package types. The peak channel limit is not the total number of channels created over time, but instead is the total number of channels simultaneously active at any point in time. Channels that are no longer in use (no clients attached and no messages being published) are closed automatically by the Ably platform.
+
 | Channel limit | Free | Standard | Pro | Enterprise |
 | ------------- | ---- | -------- | --- | ---------- |
 | **Concurrent channels**<p>*the maximum number of channels that are active simultaneously at any point*</p> | 200 | 10,000 | 50,000 | Unlimited |
diff --git a/src/pages/docs/protocols/index.mdx b/src/pages/docs/protocols/index.mdx
index 29f71dc848..33484d38b0 100644
--- a/src/pages/docs/protocols/index.mdx
+++ b/src/pages/docs/protocols/index.mdx
@@ -9,6 +9,10 @@ Ably SDKs are the recommended method for connecting to Ably because they offer s
 
 Protocol adapters offer an alternative method for connecting to Ably. The advantage to protocol adapters is that they require fewer resources in terms of memory and network overhead such as in smaller footprint devices, or on a platform where an Ably SDK isn't available such as an Arduino-based IoT wearable. The potential drawback to consider when evaluating protocol adapters is that they do not support the full set of Ably features, for example the MQTT protocol adapter does not support presence, and the SSE protocol adapter does not support automatic token renewal.
 
+Ably has designed its own set of protocols that deliver unparalleled service continuity guarantees. This would not be possible without tight integration of the protocol, platform and infrastructure. However, there are many valid use cases where other protocols are more suitable. As such, Ably provides a protocol adapter service that runs on its servers that allows customers to use the right protocol for their use case, yet still benefit from the robust service Ably can provide.
+
+Protocol adapters ensure that any number of protocols can be mixed yet are interoperable. For example, you could publish sensor data using MQTT, yet subscribe to this information reliably in your mobile apps using Ably client libraries.
+
 A full list of Ably SDKs can be found on the [SDK page](/docs/sdks).
 
 ## Available Protocol Adapters <a id="available-adapters"/>
@@ -26,7 +30,7 @@ Ably supports multiple protocols in addition to the native WebSockets-based one:
 
 MQTT (MQ Telemetry Transport) is a publish/subscribe, lightweight messaging protocol designed for constrained devices and low-bandwidth networks. One of the major uses of MQTT is with IoT (Internet of Things), where these principles are key to having effective communication between various devices.
 
-MQTT can also be used with Ably as a basic event broker or if we don't have an SDK for your target platform. However, without an SDK you don't get access to the full range of platform features and data guarantees.
+MQTT can also be used with Ably as a basic event broker or if there isn't an SDK for your target platform. However, without an SDK you don't get access to the full range of platform features and data guarantees.
 
 Read more in the [MQTT section](/docs/protocols/mqtt).
 
@@ -65,3 +69,21 @@ Ably is the only cloud vendor that supports the PubNub protocol. It's simple to
 Seamlessly migrate from PubNub by connecting to the Ably network using the PubNub protocol.
 
 Read more in the [PubNub Adapter section](/docs/protocols/pubnub).
+
+## How protocol adapters work <a id="how-they-work"/>
+
+The Ably platform is available at the endpoint `realtime.ably.io` for socket connections and `rest.ably.io` for REST-based requests and HTTP fallbacks for devices not supporting sockets. Ably client libraries always communicate directly with the Ably platform through those endpoints, and Ably ensures those endpoints route users to the closest available datacenter.
+
+Protocol adapters use different endpoints from the default Ably endpoints and route users to a protocol adapter layer that also runs in each of our datacenters. For example, if a client uses MQTT, the endpoint is `mqtt.ably.io`. Ably's latency-based DNS ensures that the client connecting to `mqtt.ably.io` is routed to the closest datacenter, and when the routing layer receives the request, it identifies which protocol the request is destined for based on the hostname. The router then routes the request to a local frontend designed to process data for that protocol.
+
+Protocol adapters run as middleware between the routers and the rest of the Ably service, ensuring that all incoming requests are transformed into the Ably protocol and sent to the Ably service, and all data received from Ably is transformed back to the client's protocol. The adapters are stateful, maintaining connections similar to how Ably provides connection state recovery. The routers ensure that requests are routed to the correct adapter handling each connection for each request.
+
+Protocol adapters provide a seamless way to connect using different protocols to Ably without having to worry about the complexities of ensuring interoperability between protocols.
+
+## Pricing <a id="pricing"/>
+
+Use of protocol adapters carries no additional charge. You are charged for the total number of peak connections and messages sent as if you were using Ably's native protocol. See the [pricing](/docs/platform/pricing) page for more details.
+
+## Getting started with protocol adapters <a id="getting-started"/>
+
+If you are interested in using our protocol adapters to assist with migration from another service, or would like to use another protocol not listed here with Ably, then please [get in touch](https://ably.com/contact).