From cfed34543a2ca1aa1540c85c23ca46cfc596b748 Mon Sep 17 00:00:00 2001
From: Francis Roberts <111994975+franrob-projects@users.noreply.github.com>
Date: Wed, 24 Sep 2025 14:42:04 +0200
Subject: [PATCH 01/17] What is the difference between 'failed' and 'refused'
 message statistics?

---
 src/pages/docs/metadata-stats/stats.mdx | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/pages/docs/metadata-stats/stats.mdx b/src/pages/docs/metadata-stats/stats.mdx
index b4f4b4d32c..283aac6245 100644
--- a/src/pages/docs/metadata-stats/stats.mdx
+++ b/src/pages/docs/metadata-stats/stats.mdx
@@ -371,6 +371,10 @@ The following metadata is returned for each entry:
 
 All messages metrics include all messages types, such as those sent and received by Ably and clients, messages delivered via integrations and push notifications delivered to devices.
 
+Failed vs. Refused messages:
+- **Failed** messages are those that did not succeed for reasons other than Ably actively rejecting them, such as external integration target rejections or Ably service issues.
+- **Refused** messages are those that Ably actively chose to reject, typically due to rate limiting, malformed messages, or insufficient client permissions.
+
 | Metric | Description |
 | --- | --- |
 | **messages.all.all.count** | Total number of messages that were successfully received and sent by Ably, summed over all message types and transports. |

From e5f84cd47bb8691a2b471d10c93afeb0dbf9d2e4 Mon Sep 17 00:00:00 2001
From: Francis Roberts <111994975+franrob-projects@users.noreply.github.com>
Date: Wed, 24 Sep 2025 15:10:51 +0200
Subject: [PATCH 02/17] How can I restrict connections or requests by origin or
 IP?

---
 src/pages/docs/auth/token.mdx | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/src/pages/docs/auth/token.mdx b/src/pages/docs/auth/token.mdx
index e2927166f7..acca8dada3 100644
--- a/src/pages/docs/auth/token.mdx
+++ b/src/pages/docs/auth/token.mdx
@@ -7,11 +7,29 @@ Token authentication uses a trusted device with an [API key](/docs/auth#api-key)
 
 Token authentication is the recommended authentication method to use client-side as it provides more fine-grained access control and limits the risk of credentials being exposed.
 
+## Access restrictions <a id="restrictions"/>
+
+### Token-based client validation
+
+Token authentication enables you to validate client characteristics (such as origin, IP address, cookies, or any other client features) in your authentication server before issuing tokens. This provides flexible access control as you can implement any validation logic in your auth server as part of the token issuance process.
+
+### API key restrictions
+
+For cases where token authentication is impractical, Ably can add origin or IP address restrictions directly to API keys. However, this approach has significant limitations:
+
+- Less flexible than token authentication.
+- Manual intervention required to modify restrictions.
+- Enterprise support packages only: contact [Ably support](https://ably.com/support) if interested.
+- Not a security boundary: origin headers can be easily spoofed, especially outside browser contexts.
+- Permissive fallback: requests with no origin header are allowed when origin restrictions are set.
+
+For maximum security and flexibility, token authentication with server-side validation is the recommended approach.
+
 Any of the following cause an SDK to use token authentication:
 
-* An [`authUrl`](/docs/api/realtime-sdk/types#client-options) or [`authCallback`](/docs/api/realtime-sdk/types#client-options) is provided that returns an Ably-compatible token or an Ably [`TokenRequest`](/docs/api/realtime-sdk/types#token-request)
-* [`useTokenAuth`](/docs/api/realtime-sdk/types#client-options) is true
-* A [`token`](/docs/api/realtime-sdk/types#client-options) or [`tokenDetails`](/docs/api/realtime-sdk/types#client-options) property is provided
+* An [`authUrl`](/docs/api/realtime-sdk/types#client-options) or [`authCallback`](/docs/api/realtime-sdk/types#client-options) is provided that returns an Ably-compatible token or an Ably [`TokenRequest`](/docs/api/realtime-sdk/types#token-request).
+* [`useTokenAuth`](/docs/api/realtime-sdk/types#client-options) is true.
+* A [`token`](/docs/api/realtime-sdk/types#client-options) or [`tokenDetails`](/docs/api/realtime-sdk/types#client-options) property is provided.
 
 Providing a literal `token` or `tokenDetails` is typically used for testing: since tokens are short-lived, in production you typically want to use an authentication method that allows the client library to renew the token automatically before the current token expires.
 

From 5d1b4a9b098521a40dbcc30c7c31353767bc694a Mon Sep 17 00:00:00 2001
From: Francis Roberts <111994975+franrob-projects@users.noreply.github.com>
Date: Thu, 25 Sep 2025 10:27:45 +0200
Subject: [PATCH 03/17] Is it possible to restrict which channels or
 permissions an API key has?

---
 src/pages/docs/platform/account/app/api.mdx | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/pages/docs/platform/account/app/api.mdx b/src/pages/docs/platform/account/app/api.mdx
index 7cdebcf2b5..f7a3df90e0 100644
--- a/src/pages/docs/platform/account/app/api.mdx
+++ b/src/pages/docs/platform/account/app/api.mdx
@@ -8,6 +8,10 @@ redirect_from:
 
 The API keys tab lists all API keys associated with your account and provides information on each key's capabilities and restrictions. You can [create a new API key](#create) and manage an existing one.
 
+<Aside data-type='note'>
+Before setting up multiple API keys with different permissions or sharing API keys with untrusted parties, consider using [token authentication](/docs/auth/token) instead. Token authentication provides more flexible access control and better security for client-side applications.
+</Aside>
+
 ## Create a new API key <a id="create"/>
 
 The following steps create a new API Key:
@@ -44,6 +48,12 @@ Set resource restrictions to control access to channels and queues, ranging from
 | **Only queues** | Access any queue but not channels. |
 | **Selected channels and queues** | Specify explicit rules for access. |
 
+When specifying selected channels and queues, you can provide a comma-separated list of resources. Each resource can match a single channel (e.g., `channel-name`) or multiple channels using wildcards (e.g., `namespace:*`). Queues use the prefix `[queue]` and meta channels use `[meta]`. See [capabilities documentation](/docs/auth/capabilities#wildcards) for detailed wildcard syntax.
+
+<Aside data-type='important'>
+A single API key cannot support complex permission combinations, such as publish access on one channel and subscribe access on another. For such requirements, use [token authentication](/docs/auth/token) instead.
+</Aside>
+
 ### Revocable tokens
 
 [Revocable tokens](/docs/auth/revocation#revocable-tokens) enhance security by allowing shorter token lifetimes and the ability to revoke tokens issued via the API key.

From 6ccfeef3358494b830b82e62919c2a4783c5f0ef Mon Sep 17 00:00:00 2001
From: Francis Roberts <111994975+franrob-projects@users.noreply.github.com>
Date: Thu, 25 Sep 2025 17:43:25 +0200
Subject: [PATCH 04/17] Which TLS Version does the ably-js library use?

---
 content/partials/types/_client_options.textile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/partials/types/_client_options.textile b/content/partials/types/_client_options.textile
index 943c723fa2..4b213eaef8 100644
--- a/content/partials/types/_client_options.textile
+++ b/content/partials/types/_client_options.textile
@@ -10,7 +10,7 @@ h4.
 
 <%= partial partial_version('shared/_token_auth_methods') %>
 
-- <span lang="default">tls</span><span lang="csharp,go">Tls</span><span lang="ruby">:tls</span> := _true_ A boolean value, indicating whether or not a TLS ("SSL") secure connection should be used. An insecure connection cannot be used with Basic authentication as it would lead to a possible compromise of the private API key while in transit. "Find out more about TLS":https://faqs.ably.com/are-messages-sent-to-and-received-from-ably-securely-using-tls<br>__Type: @Boolean@__
+- <span lang="default">tls</span><span lang="csharp,go">Tls</span><span lang="ruby">:tls</span> := _true_ A boolean value, indicating whether or not a TLS ("SSL") secure connection should be used. An insecure connection cannot be used with Basic authentication as it would lead to a possible compromise of the private API key while in transit. <span lang="javascript">The JavaScript library uses the TLS version supported by the browser environment.</span><span lang="nodejs">In Node.js, the TLS version is determined by the Node.js runtime version.</span> "Find out more about TLS":https://faqs.ably.com/are-messages-sent-to-and-received-from-ably-securely-using-tls<br>__Type: @Boolean@__
 
 - <span lang="default">clientId</span><span lang="csharp,go">ClientId</span><span lang="python">client_id</span><span lang="ruby">:client_id</span> := A client ID, used for identifying this client when publishing messages or for presence purposes. The <span lang="default">@clientId@</span><span lang="ruby,python">@client_id@</span><span lang="csharp,go">@ClientId@</span> can be any non-empty string. This option is primarily intended to be used in situations where the library is instantiated with a key; note that a <span lang="default">@clientId@</span><span lang="ruby,python">@client_id@</span><span lang="csharp,go">@ClientId@</span> may also be implicit in a token used to instantiate the library; an error will be raised if a <span lang="default">@clientId@</span><span lang="ruby,python">@client_id@</span> specified here conflicts with the <span lang="default">@clientId@</span><span lang="ruby,python">@client_id@</span><span lang="csharp,go">@ClientId@</span> implicit in the token. "Find out more about client identities":/docs/auth/identified-clients<br>__Type: @String@__
 

From d822e6c5f50aeb63db1e6121f2cc9a151e460cdd Mon Sep 17 00:00:00 2001
From: Francis Roberts <111994975+franrob-projects@users.noreply.github.com>
Date: Thu, 25 Sep 2025 18:08:51 +0200
Subject: [PATCH 05/17] Do you support multiplexing and channel groups?

---
 src/pages/docs/channels/index.mdx | 12 ++++++++++++
 src/pages/docs/connect/index.mdx  | 14 +++++++++++++-
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/src/pages/docs/channels/index.mdx b/src/pages/docs/channels/index.mdx
index 3bcdd9d03f..ee1274ffa6 100644
--- a/src/pages/docs/channels/index.mdx
+++ b/src/pages/docs/channels/index.mdx
@@ -218,3 +218,15 @@ Channel [history](/docs/storage-history/history) enables clients to retrieve mes
 ## Presence <a id="presence"/>
 
 The [presence](/docs/presence-occupancy/presence) feature enables clients to be aware of other clients that are 'present' on the channel. Client status is updated as they enter or leave the presence set. Clients can also provide an optional payload describing their status or attributes, and trigger an update event at any time.
+
+## Channel groups <a id="channel-groups"/>
+
+Ably does not support channel groups, a concept used by some other providers where channels are placed into groups to work around limitations in dynamically subscribing or unsubscribing from channels.
+
+**Why Ably doesn't need channel groups:**
+
+* With Ably client libraries, you can add or remove subscriptions to channels dynamically at any tie.
+* All channels operate over a single efficient connection.
+* Channel namespaces already provide grouping functionality for configuration purposes.
+
+Instead of channel groups, simply subscribe to the specific channels your client needs access to. The efficient multiplexing ensures optimal performance regardless of the number of channels.
diff --git a/src/pages/docs/connect/index.mdx b/src/pages/docs/connect/index.mdx
index f79cf245c4..fde8e087a3 100644
--- a/src/pages/docs/connect/index.mdx
+++ b/src/pages/docs/connect/index.mdx
@@ -8,7 +8,19 @@ redirect_from:
   - /docs/realtime/versions/v0.8/connection
 ---
 
-Clients establish and maintain a connection to the Ably service using the most efficient transport available, typically [WebSockets](https://ably.com/topic/websockets). Ably SDKs operate and multiplex all [channel](/docs/channels) traffic over that connection. This maximizes throughput, minimizes bandwidth consumption, and reduces power usage. Once connected, clients can monitor and manage their [connection state](/docs/connect/states).
+Clients establish and maintain a connection to the Ably service using the most efficient transport available, typically [WebSockets](https://ably.com/topic/websockets).
+
+## Connection multiplexing <a id="multiplexing"/>
+
+Ably SDKs operate and multiplex all [channel](/docs/channels) traffic over a single connection. This means you can publish and subscribe to messages on any number of channels simultaneously using just one transport connection. This approach:
+
+* Maximizes throughput by efficiently utilizing the available connection.
+* Minimizes bandwidth consumption by avoiding multiple connection overhead.
+* Reduces power usage by maintaining fewer active connections.
+
+All Ably client libraries support multiplexing by default when using the realtime interface. You can dynamically subscribe and unsubscribe from channels at any time without needing to establish new connections.
+
+Once connected, clients can monitor and manage their [connection state](/docs/connect/states).
 
 <Aside data-type="note">
 Connections can only be established using the realtime interface of an Ably SDK. See [About Pub/Sub](/docs/basics) for further information on the differences between the REST and realtime interface.

From fba6d1dca692345008503cc9409700ec9acbf567 Mon Sep 17 00:00:00 2001
From: Francis Roberts <111994975+franrob-projects@users.noreply.github.com>
Date: Thu, 25 Sep 2025 18:23:49 +0200
Subject: [PATCH 06/17] If I need to whitelist Ably's servers from a firewall,
 which ports, IPs and/or domains should I add?

---
 .../platform/architecture/edge-network.mdx    | 70 +++++++++++++++++++
 1 file changed, 70 insertions(+)

diff --git a/src/pages/docs/platform/architecture/edge-network.mdx b/src/pages/docs/platform/architecture/edge-network.mdx
index 7133213aec..6eb3d5567c 100644
--- a/src/pages/docs/platform/architecture/edge-network.mdx
+++ b/src/pages/docs/platform/architecture/edge-network.mdx
@@ -142,3 +142,73 @@ The health monitoring system also feeds into the automated traffic routing syste
 All Ably infrastructure scales on demand so as to be able to handle the ambient traffic level. The infrastructure is typically provisioned with significant headroom above current demand, ensuring that sudden increases in traffic can be accommodated without impacting service quality. Additionally, the auto-scaling capabilities of the cloud infrastructure allow for dynamic adjustments to capacity based on realtime demand.
 
 For planned high-traffic events with anticipated usage spikes, additional capacity can be provisioned in advance to ensure that all traffic can be handled seamlessly. The operations team works with customers to understand their traffic expectations and ensure that all relevant infrastructure components are provisioned for significant events.
+
+## Firewall and network configuration <a id="firewall"/>
+
+If you need to configure firewalls or network security devices to allow connections to Ably, the following information will help you set up the necessary rules.
+
+### Ports
+
+Ably's client libraries use the following ports:
+
+* **Port 443** - HTTPS traffic over TLS (primary for all WebSocket and HTTP connections)
+* **Port 80** - HTTP traffic (only when TLS is explicitly disabled, not recommended)
+
+**Protocol adapters and integrations use additional ports:**
+
+* **Port 5671** - Ably queues over AMQP (TLS only)  
+* **Port 61614** - Ably queues over STOMP (TLS only)
+* **Port 8883** - MQTT adapter over TLS
+* **Port 1883** - MQTT adapter unencrypted (not recommended)
+
+<Aside data-type='warning'>
+Using unencrypted connections (ports 80 and 1883) is not recommended and is disabled by default in all client libraries for security reasons.
+</Aside>
+
+### Domains and endpoints
+
+**Core Ably endpoints:**
+
+* `rest.ably.io` - REST API requests
+* `realtime.ably.io` - Realtime WebSocket connections  
+* `a.ably-realtime.com` through `e.ably-realtime.com` - Fallback hosts for reliability
+
+**Additional connectivity endpoints:**
+
+* `internet-up.ably-realtime.com` - General connectivity checks
+* `ws-up.ably-realtime.com` - WebSocket connectivity checks (ably-js v2)
+
+**Protocol adapter endpoints:**
+
+* `mqtt.ably.io` - MQTT adapter
+* `pubnub-rest.ably.io` - PubNub adapter  
+* `pusher-rest.ably.io` and `pusher-realtime.ably.io` - Pusher adapter
+* `us-east-1-a-queue.ably.io` - Ably Queues (US East 1)
+* `eu-west-1-a-queue.ably.io` - Ably Queues (EU West 1)
+
+### DNS CNAME records
+
+Ably's default endpoints use DNS CNAME records with the following targets:
+
+* `rest.ably.io` and `realtime.ably.io` → `main.realtime.ably.net`
+* `a.ably-realtime.com` → `main.a.fallback.ably-realtime.com`  
+* `b.ably-realtime.com` → `main.b.fallback.ably-realtime.com`
+* `c.ably-realtime.com` → `main.c.fallback.ably-realtime.com`
+* `d.ably-realtime.com` → `main.d.fallback.ably-realtime.com`
+* `e.ably-realtime.com` → `main.e.fallback.ably-realtime.com`
+
+<Aside data-type='note'>
+Future SDK releases may directly reference the CNAME target values. Consider adding both the endpoint domains and their CNAME targets to your allow lists for forward compatibility.
+</Aside>
+
+### IP addresses
+
+<Aside data-type='important'>
+Ably cannot provide static IP addresses for the cloud-based service as the infrastructure is elastic and IP addresses are reassigned dynamically as part of normal operations. You must use domain-based allowlisting rather than IP-based rules.
+</Aside>
+
+### Enterprise customers
+
+<Aside data-type='note'>
+Enterprise customers with custom configurations may have different endpoint domains. Contact [Ably support](https://ably.com/support) to confirm the specific domains for your account configuration.
+</Aside>

From 3fa0f9ce235fa420b9f5db70c8165e4e32846dfd Mon Sep 17 00:00:00 2001
From: Francis Roberts <111994975+franrob-projects@users.noreply.github.com>
Date: Thu, 25 Sep 2025 18:34:43 +0200
Subject: [PATCH 07/17] Authenticated and identified clients

---
 src/pages/docs/auth/index.mdx | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/pages/docs/auth/index.mdx b/src/pages/docs/auth/index.mdx
index 171144ce70..51949e95e5 100644
--- a/src/pages/docs/auth/index.mdx
+++ b/src/pages/docs/auth/index.mdx
@@ -22,6 +22,22 @@ redirect_from:
 
 Before a client or server can issue requests to Ably, such as subscribe to channels, or publish messages, it must authenticate with Ably. Authentication requires an Ably API key.
 
+## Authentication terminology <a id="terminology"/>
+
+The following terminology helps explain authentication, authorization, and identification in the context of the Ably service:
+
+"Authentication" is the process of deciding, based on the presented credentials, whether or not an entity may interact with the Ably service. The credentials may be presented explicitly using [Basic Authentication](/docs/auth/basic) or [Token Authentication](/docs/auth/token), or in some cases the entity authenticating may prove possession of the credentials with a signed Token Request that is subsequently used to generate a valid token to be used for Token Authentication. When authenticating with Ably, the credentials are either an API key or an auth token.
+
+"Authenticated client" is a client of the Ably service that has been successfully authenticated.
+
+"Authorization" is the process of deciding whether or not a given entity (usually authenticated) is allowed to perform a given operation. In Ably, authorization for most operations is based on the [capabilities](/docs/auth/capabilities) associated with the key or token that was used to authenticate a client.
+
+"Identified client" is an authenticated client with a specific claimed client identity, or `clientId`, whose credentials are verified as confirming that identity. See the [identified clients](/docs/auth/identified-clients) documentation for more information.
+
+<Aside data-type='note'>
+Channels can be configured to only allow [identified clients](/docs/auth/identified-clients). Learn more about [channel rules](/docs/channels#rules).
+</Aside>
+
 ## Ably API keys <a id="api-keys"/>
 
 Every Ably app can have one or more API keys associated with it in order to authenticate directly with Ably, or to issue tokens with. API keys can be created with different [capabilities](/docs/auth/capabilities) and any tokens issued using that API key can only permit a subset of those capabilities.

From 40bc1b8defc146115facf3432049495a0ebdf309 Mon Sep 17 00:00:00 2001
From: Francis Roberts <111994975+franrob-projects@users.noreply.github.com>
Date: Thu, 25 Sep 2025 18:41:13 +0200
Subject: [PATCH 08/17] Are messages sent to and received from Ably securely
 using TLS?

---
 .../partials/types/_client_options.textile    |  2 +-
 .../docs/channels/options/encryption.mdx      | 26 +++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/content/partials/types/_client_options.textile b/content/partials/types/_client_options.textile
index 4b213eaef8..d3f0e15ee7 100644
--- a/content/partials/types/_client_options.textile
+++ b/content/partials/types/_client_options.textile
@@ -10,7 +10,7 @@ h4.
 
 <%= partial partial_version('shared/_token_auth_methods') %>
 
-- <span lang="default">tls</span><span lang="csharp,go">Tls</span><span lang="ruby">:tls</span> := _true_ A boolean value, indicating whether or not a TLS ("SSL") secure connection should be used. An insecure connection cannot be used with Basic authentication as it would lead to a possible compromise of the private API key while in transit. <span lang="javascript">The JavaScript library uses the TLS version supported by the browser environment.</span><span lang="nodejs">In Node.js, the TLS version is determined by the Node.js runtime version.</span> "Find out more about TLS":https://faqs.ably.com/are-messages-sent-to-and-received-from-ably-securely-using-tls<br>__Type: @Boolean@__
+- <span lang="default">tls</span><span lang="csharp,go">Tls</span><span lang="ruby">:tls</span> := _true_ A boolean value, indicating whether or not a TLS ("SSL") secure connection should be used. An insecure connection cannot be used with Basic authentication as it would lead to a possible compromise of the private API key while in transit. <span lang="javascript">The JavaScript library uses the TLS version supported by the browser environment.</span><span lang="nodejs">In Node.js, the TLS version is determined by the Node.js runtime version.</span> "Find out more about TLS":/docs/channels/options/encryption#tls<br>__Type: @Boolean@__
 
 - <span lang="default">clientId</span><span lang="csharp,go">ClientId</span><span lang="python">client_id</span><span lang="ruby">:client_id</span> := A client ID, used for identifying this client when publishing messages or for presence purposes. The <span lang="default">@clientId@</span><span lang="ruby,python">@client_id@</span><span lang="csharp,go">@ClientId@</span> can be any non-empty string. This option is primarily intended to be used in situations where the library is instantiated with a key; note that a <span lang="default">@clientId@</span><span lang="ruby,python">@client_id@</span><span lang="csharp,go">@ClientId@</span> may also be implicit in a token used to instantiate the library; an error will be raised if a <span lang="default">@clientId@</span><span lang="ruby,python">@client_id@</span> specified here conflicts with the <span lang="default">@clientId@</span><span lang="ruby,python">@client_id@</span><span lang="csharp,go">@ClientId@</span> implicit in the token. "Find out more about client identities":/docs/auth/identified-clients<br>__Type: @String@__
 
diff --git a/src/pages/docs/channels/options/encryption.mdx b/src/pages/docs/channels/options/encryption.mdx
index 9d7fe6ce13..f939bc20d2 100644
--- a/src/pages/docs/channels/options/encryption.mdx
+++ b/src/pages/docs/channels/options/encryption.mdx
@@ -14,6 +14,32 @@ redirect_from:
 
 [Transport Layer Security (TLS)](https://en.wikipedia.org/wiki/Transport_Layer_Security) is enabled by default in Ably SDKs so that data is securely sent to, and received from, Ably. However, messages are not encrypted within the Ably system. Use the encryption channel option to ensure that message payloads are opaque, that they can't be decrypted by Ably, and can only be decrypted by other clients that share your secret key.
 
+## TLS transport security <a id="tls"/>
+
+All Ably client libraries use TLS by default when communicating with Ably over REST or via realtime transports such as WebSockets. This provides a secure transport for communication with Ably, ensuring that messages in transit cannot be intercepted, inspected, or tampered with.
+
+### Disabling TLS
+
+If you need to disable TLS (typically to reduce communication overhead for public data streams), you can specify `tls: false` in your [client options](/docs/api/realtime-sdk#client-options) when instantiating a Realtime or REST library.
+
+<Aside data-type='warning'>
+Disabling TLS is strongly discouraged and is disabled by default in all client libraries for security reasons.
+</Aside>
+
+### TLS restrictions
+
+Unencrypted communication with Ably is **disallowed** if any of the following conditions are met:
+
+* You attempt to use [Basic Authentication](/docs/auth/basic) and thus transmit a private API key over an unencrypted connection. You are only permitted to use unencrypted connections with [Token Authentication](/docs/auth/token) as tokens expire, limiting the impact of token interception.
+
+* You have specified that TLS is required in your [app settings](/docs/platform/account/app/settings).
+
+* A client using an unencrypted connection attempts to attach to a channel that is configured to be used with [TLS only](/docs/channels#rules).
+
+### TLS vs. message encryption
+
+While TLS encryption ensures that messages in transit to and from Ably cannot be intercepted, inspected, or tampered with, it does not ensure that the Ably service itself is unable to inspect your messages and their content. If you want to ensure that all messages are encrypted and inaccessible to even Ably, consider using the [message-level encryption](#with-ably) feature included in the client libraries.
+
 Setting encryption using channel options means that encryption is a feature that can be set per-channel. Apps may have both un-encrypted and encrypted channels on a single connection.
 
 ## Encryption with Ably <a id="with-ably"/>

From edf4ac53565c12fe36a5058bfed36ee9b6e44cf9 Mon Sep 17 00:00:00 2001
From: Francis Roberts <111994975+franrob-projects@users.noreply.github.com>
Date: Fri, 26 Sep 2025 10:14:36 +0200
Subject: [PATCH 09/17] How can you restrict which channels a client can
 access?

---
 src/pages/docs/auth/capabilities.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/pages/docs/auth/capabilities.mdx b/src/pages/docs/auth/capabilities.mdx
index 1551dac175..e31c8cd561 100644
--- a/src/pages/docs/auth/capabilities.mdx
+++ b/src/pages/docs/auth/capabilities.mdx
@@ -7,7 +7,7 @@ API keys and Ably-compatible tokens, have a set of capabilities assigned to them
 
 API keys are long-lived, secret and typically not shared with clients. API key capabilities are configured using the [dashboard](https://ably.com/dashboard), or using the [Control API](/docs/platform/account/control-api).
 
-Ably-compatible tokens are designed to be shared with untrusted clients, are short-lived, and can be configured and issued programmatically. See [selecting an authentication mechanism](/docs/auth#selecting-auth) to understand why token authentication is the preferred option in most scenarios.
+Ably-compatible tokens are designed to be shared with untrusted clients, are short-lived, and can be configured and issued programmatically. **For restricting client access to channels, tokens provide far more flexibility and security than API key capabilities.** See [selecting an authentication mechanism](/docs/auth#selecting-auth) to understand why token authentication is the preferred option in most scenarios.
 
 ## Resource names and wildcards <a id="wildcards"/>
 

From 5e7caada24c6703c03e384a0b570605d3a5106b0 Mon Sep 17 00:00:00 2001
From: Francis Roberts <111994975+franrob-projects@users.noreply.github.com>
Date: Fri, 26 Sep 2025 10:20:26 +0200
Subject: [PATCH 10/17] When I change a key's capabilities in the dashboard,
 will existing connections get those capabilities immediately?

---
 src/pages/docs/auth/capabilities.mdx | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/pages/docs/auth/capabilities.mdx b/src/pages/docs/auth/capabilities.mdx
index e31c8cd561..5f15066639 100644
--- a/src/pages/docs/auth/capabilities.mdx
+++ b/src/pages/docs/auth/capabilities.mdx
@@ -9,6 +9,16 @@ API keys are long-lived, secret and typically not shared with clients. API key c
 
 Ably-compatible tokens are designed to be shared with untrusted clients, are short-lived, and can be configured and issued programmatically. **For restricting client access to channels, tokens provide far more flexibility and security than API key capabilities.** See [selecting an authentication mechanism](/docs/auth#selecting-auth) to understand why token authentication is the preferred option in most scenarios.
 
+### Capability changes and existing connections
+
+<Aside data-type='important'>
+When you change a key's capabilities in the dashboard, existing connections using that key do **not** receive the updated capabilities immediately. Connections must be closed and re-opened to pick up the new capabilities.
+</Aside>
+
+Once created, it's best to think of keys and tokens as being immutable. To modify the permissions granted to existing connections, the recommended approach is to use [token authentication](/docs/auth/token) and issue the client a new token with the updated permissions you want them to have.
+
+The one exception is if a key is revoked entirely, in which case all connections using that key (or a token derived from that key) will be forcibly terminated. See [token revocation](/docs/auth/revocation) for more information.
+
 ## Resource names and wildcards <a id="wildcards"/>
 
 Capabilities are a map from resources to a list of [operations](#capability-operations). Each resource can match a single channel, for example, `channel`, or multiple channels using wildcards (`*`).

From 10df3d192c9844394005b9c0b06c4e37db4d4ddf Mon Sep 17 00:00:00 2001
From: Francis Roberts <111994975+franrob-projects@users.noreply.github.com>
Date: Fri, 26 Sep 2025 10:54:34 +0200
Subject: [PATCH 11/17] Cross-platform symmetric encryption offered by the
 libraries

---
 src/pages/docs/channels/options/encryption.mdx | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/pages/docs/channels/options/encryption.mdx b/src/pages/docs/channels/options/encryption.mdx
index f939bc20d2..6f4ddb2131 100644
--- a/src/pages/docs/channels/options/encryption.mdx
+++ b/src/pages/docs/channels/options/encryption.mdx
@@ -42,11 +42,13 @@ While TLS encryption ensures that messages in transit to and from Ably cannot be
 
 Setting encryption using channel options means that encryption is a feature that can be set per-channel. Apps may have both un-encrypted and encrypted channels on a single connection.
 
-## Encryption with Ably <a id="with-ably"/>
+## Cross-platform symmetric encryption <a id="with-ably"/>
+
+All officially supported Ably client libraries provide **cross-platform symmetric encryption**, ensuring that encrypted messages can be sent from one platform and successfully decrypted on any other supported platform.
 
 Ably SDKs support encryption purely as a convenience. The SDKs ensure interoperability between environments by having compatible implementations of encryption algorithms and by making common choices on things such as format, mode and padding. However, Ably intentionally does not manage the distribution of keys between clients, and end-to-end encryption is enabled without exposing keys to the Ably service at all. This has the advantage that Ably has no access to the un-encrypted contents of your messages, but also means that each app is responsible for enabling the distribution of keys to clients independently of Ably.
 
-Encryption with Ably supports symmetric encryption only and requires each participating client to each specify the correct [`CipherParams`](/docs/api/realtime-sdk/encryption#cipher-params) secret `key` when creating a `channel` instance. Clients that do not specify a key will receive the still-encrypted message payloads, that they can subsequently decrypt offline if necessary.
+Encryption with Ably supports **symmetric encryption only** and requires each participating client to each specify the correct [`CipherParams`](/docs/api/realtime-sdk/encryption#cipher-params) secret `key` when creating a `channel` instance. Clients that do not specify a key will receive the still-encrypted message payloads, that they can subsequently decrypt offline if necessary.
 
 Only the AES algorithm, with a default key length of 256 bits, and CBC mode are supported. These defaults are intended to ensure that encryption support can be provided in all target environments and platforms.
 

From 8686b0e92884221cca56f743f64012cd3935544c Mon Sep 17 00:00:00 2001
From: Francis Roberts <111994975+franrob-projects@users.noreply.github.com>
Date: Fri, 26 Sep 2025 11:00:17 +0200
Subject: [PATCH 12/17] How do I report a security or privacy vulnerability on
 Ably

---
 src/pages/docs/platform/index.mdx | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/src/pages/docs/platform/index.mdx b/src/pages/docs/platform/index.mdx
index dabedfdcad..f645a655e9 100644
--- a/src/pages/docs/platform/index.mdx
+++ b/src/pages/docs/platform/index.mdx
@@ -28,6 +28,31 @@ It is built primarily on Amazon EC2 infrastructure. It runs in 7 physical data c
 
 Each data center scales independently to meet the load within that region. Load is dynamically assigned and reassigned across servers in realtime, and the service auto-heals and routes around network failures.
 
+## Security <a id="security"/>
+
+Ably takes security seriously and has implemented comprehensive measures to protect the platform and user data. For detailed information about security measures, see the [edge network security documentation](/docs/platform/architecture/edge-network#protection-against-denial-of-service-attacks) and [encryption options](/docs/channels/options/encryption).
+
+### Reporting security vulnerabilities
+
+If you believe you have found a security or privacy vulnerability that could impact Ably or our users, we encourage you to report it immediately by following our [Vulnerability Disclosure Policy](https://ably.com/disclosure).
+
+#### How to report
+
+1. Submit detailed reports through our official disclosure process.
+2. Each report should explain one vulnerability with clear impact assessment.
+3. Include step-by-step reproduction instructions or proof of concept.
+4. Use responsible disclosure practices.
+
+#### Bug bounty program
+
+Ably operates a bug bounty program that rewards security researchers for legitimate vulnerability reports. Successful researchers are recognized on our [acknowledgements page](https://ably.com/acknowledgements).
+
+#### Legal protection
+
+Activities conducted in accordance with our vulnerability disclosure policy are considered authorized conduct. Ably will not initiate legal action against researchers operating in good faith within our policy guidelines.
+
+For questions regarding coordinated disclosure, contact [security@ably.com](mailto:security@ably.com).
+
 ## Integrations <a id="integrations"/>
 
 Ably [integrations](/docs/platform/integrations) enable you to send your data from Ably to an external service or push data into Ably from an external service. You can trigger actions in your integrated services when events occur in Ably or send data to Ably from external systems.

From 28bc91a183befd56e46f5eaa7484381ee2bc70bd Mon Sep 17 00:00:00 2001
From: Francis Roberts <111994975+franrob-projects@users.noreply.github.com>
Date: Fri, 26 Sep 2025 16:18:34 +0200
Subject: [PATCH 13/17] Do you support MQTT? Are you protocol agnostic?

---
 src/pages/docs/protocols/index.mdx | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/pages/docs/protocols/index.mdx b/src/pages/docs/protocols/index.mdx
index 29f71dc848..a03b02a83f 100644
--- a/src/pages/docs/protocols/index.mdx
+++ b/src/pages/docs/protocols/index.mdx
@@ -9,6 +9,10 @@ Ably SDKs are the recommended method for connecting to Ably because they offer s
 
 Protocol adapters offer an alternative method for connecting to Ably. The advantage to protocol adapters is that they require fewer resources in terms of memory and network overhead such as in smaller footprint devices, or on a platform where an Ably SDK isn't available such as an Arduino-based IoT wearable. The potential drawback to consider when evaluating protocol adapters is that they do not support the full set of Ably features, for example the MQTT protocol adapter does not support presence, and the SSE protocol adapter does not support automatic token renewal.
 
+At Ably we have designed our own set of protocols that allow us to deliver unparalleled service continuity guarantees. This would not be possible without tight integration of the protocol, our platform and our infrastructure. However, we recognize that there are many valid use cases where other protocols are more suitable. As such, we provide a protocol adapter service that runs on our servers that allows customers to use the right protocol for their use case, yet still benefit from the robust service Ably can provide.
+
+Protocol adapters ensure that any number of protocols can be mixed yet are interoperable. For example, you could publish sensor data using MQTT, yet subscribe to this information reliably in your mobile apps using Ably client libraries.
+
 A full list of Ably SDKs can be found on the [SDK page](/docs/sdks).
 
 ## Available Protocol Adapters <a id="available-adapters"/>
@@ -65,3 +69,7 @@ Ably is the only cloud vendor that supports the PubNub protocol. It's simple to
 Seamlessly migrate from PubNub by connecting to the Ably network using the PubNub protocol.
 
 Read more in the [PubNub Adapter section](/docs/protocols/pubnub).
+
+## Getting started with protocol adapters <a id="getting-started"/>
+
+If you are interested in using our protocol adapters to assist with migration from another service, or would like to use another protocol not listed here with Ably, then please [get in touch](https://ably.com/contact).

From e5efb4db30586cf973237ef6aa3cbf25fc8a5817 Mon Sep 17 00:00:00 2001
From: Francis Roberts <111994975+franrob-projects@users.noreply.github.com>
Date: Fri, 26 Sep 2025 16:32:19 +0200
Subject: [PATCH 14/17] What are Ably protocol adapters and how do they work?

---
 src/pages/docs/protocols/index.mdx | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/pages/docs/protocols/index.mdx b/src/pages/docs/protocols/index.mdx
index a03b02a83f..591fc54feb 100644
--- a/src/pages/docs/protocols/index.mdx
+++ b/src/pages/docs/protocols/index.mdx
@@ -70,6 +70,20 @@ Seamlessly migrate from PubNub by connecting to the Ably network using the PubNu
 
 Read more in the [PubNub Adapter section](/docs/protocols/pubnub).
 
+## How protocol adapters work <a id="how-they-work"/>
+
+The Ably platform is available at the endpoint `realtime.ably.io` for socket connections and `rest.ably.io` for REST-based requests and HTTP fallbacks for devices not supporting sockets. Ably client libraries always communicate directly with the Ably platform through those endpoints, and Ably ensures those endpoints route users to the closest available datacenter.
+
+Protocol adapters use different endpoints from the default Ably endpoints and route users to a protocol adapter layer that also runs in each of our datacenters. For example, if a client uses MQTT, the endpoint is `mqtt.ably.io`. Ably's latency-based DNS ensures that the client connecting to `mqtt.ably.io` is routed to the closest datacenter, and when the routing layer receives the request, it identifies which protocol the request is destined for based on the hostname. The router then routes the request to a local frontend designed to process data for that protocol.
+
+Protocol adapters run as middleware between the routers and the rest of the Ably service, ensuring that all incoming requests are transformed into the Ably protocol and sent to the Ably service, and all data received from Ably is transformed back to the client's protocol. The adapters are stateful, maintaining connections similar to how Ably provides connection state recovery. The routers ensure that requests are routed to the correct adapter handling each connection for each request.
+
+Protocol adapters provide a seamless way to connect using different protocols to Ably without having to worry about the complexities of ensuring interoperability between protocols.
+
+## Pricing <a id="pricing"/>
+
+Use of protocol adapters carries no additional charge. You are charged for the total number of peak connections and messages sent as if you were using Ably's native protocol. See the [pricing](/docs/platform/pricing) page for more details.
+
 ## Getting started with protocol adapters <a id="getting-started"/>
 
 If you are interested in using our protocol adapters to assist with migration from another service, or would like to use another protocol not listed here with Ably, then please [get in touch](https://ably.com/contact).

From f95bd89cf20eca1d9f9e2b533cf29edce11a9b09 Mon Sep 17 00:00:00 2001
From: Francis Roberts <111994975+franrob-projects@users.noreply.github.com>
Date: Fri, 26 Sep 2025 17:05:20 +0200
Subject: [PATCH 15/17] Where are Ably's servers and datacenters located around
 the world?

---
 src/pages/docs/platform/index.mdx | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/pages/docs/platform/index.mdx b/src/pages/docs/platform/index.mdx
index f645a655e9..6eb2335895 100644
--- a/src/pages/docs/platform/index.mdx
+++ b/src/pages/docs/platform/index.mdx
@@ -24,9 +24,19 @@ Ably is engineered around the following four key principles to ensure the depend
 
 The Ably platform has fault-tolerant, highly-available, elastic global infrastructure for effortless scaling.
 
-It is built primarily on Amazon EC2 infrastructure. It runs in 7 physical data centers and utilizes 385 points of presence to ensure that there isn't a single point of failure, nor single point of congestion across the service. Ably is designed to route messages using the least amount of network hops to minimize latency and maximize performance for clients, regardless of their location.
+It is built primarily on Amazon's cloud infrastructure. Ably has servers distributed across more than 15 physical datacenters within the AWS network, with 700+ edge locations globally through AWS CloudFront, so that there isn't a single point of failure, nor single point of congestion across the service. Ably is designed to route messages using the least amount of network hops to minimize latency and maximize performance for clients, regardless of their location.
 
-Each data center scales independently to meet the load within that region. Load is dynamically assigned and reassigned across servers in realtime, and the service auto-heals and routes around network failures.
+Clients are automatically connected to the nearest datacenter to reduce latency, and each datacenter is physically isolated from the others, ensuring that a failure in one datacenter has no effect on any other datacenter.
+
+Each datacenter scales independently to meet the load within that region. Load is dynamically assigned and reassigned across servers in realtime, and the service auto-heals and routes around network failures.
+
+## Global network information <a id="network-info"/>
+
+For detailed information about Ably's global infrastructure:
+
+* View the [network map](https://ably.com/network) of Ably's datacenters and global points of presence.
+* Check the [status of datacenters](https://status.ably.io/) by region.
+* See [global round-trip latency statistics](https://ably.com/network/latency) measured externally by Uptrends.
 
 ## Security <a id="security"/>
 

From 21b4c95a6f851ca220adc6f17d2ae36de584f75d Mon Sep 17 00:00:00 2001
From: Francis Roberts <111994975+franrob-projects@users.noreply.github.com>
Date: Fri, 26 Sep 2025 17:12:24 +0200
Subject: [PATCH 16/17] Why does Ably have concurrent channel limits?

---
 src/pages/docs/platform/pricing/limits.mdx | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/pages/docs/platform/pricing/limits.mdx b/src/pages/docs/platform/pricing/limits.mdx
index c8c59d8226..5093e7b866 100644
--- a/src/pages/docs/platform/pricing/limits.mdx
+++ b/src/pages/docs/platform/pricing/limits.mdx
@@ -78,6 +78,22 @@ Message limits relate to the number, rate and bandwidth of messages consumed acr
 
 Channel limits relate to the number, rate and membership of [channels](/docs/channels) on your account.
 
+### Why concurrent channel limits exist <a id="concurrent-limits"/>
+
+Unlike many other realtime platforms, Ably's architectural design ensures delivery of a high quality of service and continuity for clients across changing network conditions and datacenter conditions (such as scaling events, network disruption or hardware failures).
+
+In order to achieve 99.999% uptime, guaranteed message delivery, and reliable [message ordering](/docs/platform/architecture/message-ordering), Ably's system design can be considered "stateful". Every channel in the system is maintained by at least two nodes at any point in time, and in most cases many more nodes when clients connect through multiple datacenters. Ably ensures that a channel is active in each regional datacenter that has attached clients, for performance reasons and to avoid single point of failure design issues.
+
+This active management of each channel by nodes in the system allows Ably to:
+
+* Maintain [message ordering](/docs/platform/architecture/message-ordering) for each client publishing messages by using regional (datacenter) serial numbers, ensuring all messages arrive globally in the order they were published
+* Resume [connection state recovery](/docs/platform/architecture/connection-recovery) for clients that became disconnected by checking the serial numbers of the last received message by that client and retrieving all messages from RAM stored for that channel
+* Handle channel failure or intentional migration of channels between nodes without any loss of continuity
+
+The channel state that Ably maintains comes at a cost in terms of CPU and primarily RAM within the cluster. This is because every open channel is managed by at least two nodes and all messages published are stored in RAM on at least two nodes for a period of time. When clients connect to Ably using multiple datacenters and attach to shared channels, the number of server nodes managing these shared channels increases, with a corresponding increase in the number of copies of messages in RAM.
+
+Therefore, to provide the realtime platform-as-a-service economically to all customers, Ably charges customers based on the number of peak concurrent channels they use and imposes limits for package types. The peak channel limit is not the total number of channels created over time, but instead is the total number of channels simultaneously active at any point in time. Channels that are no longer in use (no clients attached and no messages being published) are closed automatically by the Ably platform.
+
 | Channel limit | Free | Standard | Pro | Enterprise |
 | ------------- | ---- | -------- | --- | ---------- |
 | **Concurrent channels**<p>*the maximum number of channels that are active simultaneously at any point*</p> | 200 | 10,000 | 50,000 | Unlimited |

From d0acd240e5d0ff4287d63e6501c27752e46eb04c Mon Sep 17 00:00:00 2001
From: Francis Roberts <111994975+franrob-projects@users.noreply.github.com>
Date: Tue, 30 Sep 2025 16:40:15 +0200
Subject: [PATCH 17/17] Tidy up commit

---
 src/pages/docs/auth/capabilities.mdx          |   2 +-
 src/pages/docs/metadata-stats/stats.mdx       |  64 +++++------
 src/pages/docs/platform/account/app/api.mdx   |  10 +-
 .../docs/platform/account/app/settings.mdx    |  26 ++---
 src/pages/docs/platform/account/app/stats.mdx |  26 ++---
 src/pages/docs/platform/account/index.mdx     |   4 +-
 src/pages/docs/platform/account/sso.mdx       |  28 ++---
 src/pages/docs/platform/account/users.mdx     |  38 +++----
 src/pages/docs/platform/errors/codes.mdx      | 102 +++++++++---------
 src/pages/docs/platform/index.mdx             |   8 +-
 src/pages/docs/protocols/index.mdx            |   4 +-
 11 files changed, 156 insertions(+), 156 deletions(-)

diff --git a/src/pages/docs/auth/capabilities.mdx b/src/pages/docs/auth/capabilities.mdx
index 5f15066639..2775a56453 100644
--- a/src/pages/docs/auth/capabilities.mdx
+++ b/src/pages/docs/auth/capabilities.mdx
@@ -7,7 +7,7 @@ API keys and Ably-compatible tokens, have a set of capabilities assigned to them
 
 API keys are long-lived, secret and typically not shared with clients. API key capabilities are configured using the [dashboard](https://ably.com/dashboard), or using the [Control API](/docs/platform/account/control-api).
 
-Ably-compatible tokens are designed to be shared with untrusted clients, are short-lived, and can be configured and issued programmatically. **For restricting client access to channels, tokens provide far more flexibility and security than API key capabilities.** See [selecting an authentication mechanism](/docs/auth#selecting-auth) to understand why token authentication is the preferred option in most scenarios.
+Ably-compatible tokens are designed to be shared with untrusted clients, are short-lived, and can be configured and issued programmatically. For restricting client access to channels, tokens provide far more flexibility and security than API key capabilities. See [selecting an authentication mechanism](/docs/auth#selecting-auth) to understand why token authentication is the preferred option in most scenarios.
 
 ### Capability changes and existing connections
 
diff --git a/src/pages/docs/metadata-stats/stats.mdx b/src/pages/docs/metadata-stats/stats.mdx
index 283aac6245..4f565cecf9 100644
--- a/src/pages/docs/metadata-stats/stats.mdx
+++ b/src/pages/docs/metadata-stats/stats.mdx
@@ -43,7 +43,7 @@ curl --request GET \
 This endpoint returns a [statistics response type](#payload) including [account-only metrics](#account-only).
 
 <Aside data-type='note'>
-  To obtain your `ACCOUNT_ID`, you can use `/me` Control API endpoint to find your `ACCOUNT_ID`, or alternatively find it in the [**Settings**](https://ably.com/accounts/any/edit) page of your account dashboard:
+  To obtain your `ACCOUNT_ID`, you can use `/me` Control API endpoint to find your `ACCOUNT_ID`, or alternatively find it in the [Settings](https://ably.com/accounts/any/edit) page of your account dashboard:
 </Aside>
 
 <Code>
@@ -85,7 +85,7 @@ curl 'https://control.ably.net/v1/apps/${APP_ID}/stats' \
 This endpoint returns a [statistics response type](#payload).
 
 <Aside data-type='note'>
-    The `APP_ID` can be found in the [**Settings**](https://ably.com/accounts/any/apps/any/edit) tab of an application within your dashboard.
+    The `APP_ID` can be found in the [Settings](https://ably.com/accounts/any/apps/any/edit) tab of an application within your dashboard.
 </Aside>
 
 ### App statistics via SDK <a id="app-sdk"/>
@@ -360,45 +360,45 @@ The following metadata is returned for each entry:
 
 | Property | Description |
 | --- | --- |
-| **appId** | The ID of the Ably application the statistics are for. Only present when querying app statistics. |
-| **accountId** | The ID of the Ably account the statistics are for. Only present when querying account statistics. |
-| **intervalId** | Start time for the stats entry. Format is `yyyy-mm-dd:hh:mm` for `unit=minute`, and `yyyy-mm-dd:hh` for `unit=hour,day,month`. |
-| **unit** | Unit of time that the stats entry covers. One of `minute`, `hour`, `day` or `month`. |
-| **schema** | URI of the stats schema. |
-| **inProgress** | The last sub-interval included in this entry in the format `yyyy-mm-dd:hh:mm:ss`, else undefined. For entries that are still in progress, such as the current month. |
+| appId | The ID of the Ably application the statistics are for. Only present when querying app statistics. |
+| accountId | The ID of the Ably account the statistics are for. Only present when querying account statistics. |
+| intervalId | Start time for the stats entry. Format is `yyyy-mm-dd:hh:mm` for `unit=minute`, and `yyyy-mm-dd:hh` for `unit=hour,day,month`. |
+| unit | Unit of time that the stats entry covers. One of `minute`, `hour`, `day` or `month`. |
+| schema | URI of the stats schema. |
+| inProgress | The last sub-interval included in this entry in the format `yyyy-mm-dd:hh:mm:ss`, else undefined. For entries that are still in progress, such as the current month. |
 
 ### All messages <a id="messages"/>
 
 All messages metrics include all messages types, such as those sent and received by Ably and clients, messages delivered via integrations and push notifications delivered to devices.
 
 Failed vs. Refused messages:
-- **Failed** messages are those that did not succeed for reasons other than Ably actively rejecting them, such as external integration target rejections or Ably service issues.
-- **Refused** messages are those that Ably actively chose to reject, typically due to rate limiting, malformed messages, or insufficient client permissions.
+- Failed messages are those that did not succeed for reasons other than Ably actively rejecting them, such as external integration target rejections or Ably service issues.
+- Refused messages are those that Ably actively chose to reject, typically due to rate limiting, malformed messages, or insufficient client permissions.
 
 | Metric | Description |
 | --- | --- |
-| **messages.all.all.count** | Total number of messages that were successfully received and sent by Ably, summed over all message types and transports. |
-| **messages.all.all.billableCount** | Total number of billable messages that were successfully received and sent by Ably, summed over all message types and transports. |
-| **messages.all.all.data** | Total data in messages successfully received and sent by Ably, summed over all message types and transports. |
-| **messages.all.all.uncompressedData** | Total data in messages successfully received and sent by Ably, excluding savings provided by delta compression. |
-| **messages.all.all.failed** | Total number of messages that failed. These are messages which did not succeed for some reason other than Ably explicitly refusing them, such as they were rejected by an external integration target, or a service issue on Ably's side. |
-| **messages.all.all.refused** | Total number of messages that were refused by Ably. For example, due to [rate limiting](/docs/platform/pricing/limits), malformed messages, or incorrect client permissions.|
-| **messages.all.messages.count** | Total message count, excluding presence and object messages. |
-| **messages.all.messages.billableCount** | Total billable message count, excluding presence and object messages. |
-| **messages.all.messages.data** | Total message size, excluding presence and object messages. |
-| **messages.all.messages.uncompressedData** | Total number of messages that failed. These are messages which did not succeed for some reason other than Ably explicitly refusing them, such as they were rejected by an external integration target, or a service issue on Ably's side. |
-| **messages.all.messages.failed** | Total number of messages excluding presence and object messages that failed. These are messages which did not succeed for some reason other than Ably explicitly refusing them, such as they were rejected by an external integration target, or a service issue on Ably's side. |
-| **messages.all.messages.refused** | Total number of messages excluding presence and object messages that were refused by Ably. For example, due to [rate limiting](/docs/platform/pricing/limits), malformed messages, or incorrect client permissions. |
-| **messages.all.presence.count** | Total presence message count. |
-| **messages.all.presence.billableCount** | Total billable presence message count. |
-| **messages.all.presence.data** | Total presence message size. |
-| **messages.all.presence.uncompressedData** | Total uncompressed presence message size, excluding delta compression. |
-| **messages.all.objects.count** | Total objects message count. |
-| **messages.all.objects.billableCount** | Total billable objects message count. |
-| **messages.all.objects.data** | Total objects message size. |
-| **messages.all.objects.uncompressedData** | Total uncompressed objects message size, excluding delta compression. |
-| **messages.all.messages.failed** | Total number of presence messages excluding presence and object messages that failed. These are messages which did not succeed for some reason other than Ably explicitly refusing them, such as they were rejected by an external integration target, or a service issue on Ably's side. |
-| **messages.all.messages.refused** | Total number of presence messages excluding presence and object messages that were refused by Ably. For example, due to [rate limiting](/docs/platform/pricing/limits), malformed messages, or incorrect client permissions. |
+| `messages.all.all.count` | Total number of messages that were successfully received and sent by Ably, summed over all message types and transports. |
+| `messages.all.all.billableCount` | Total number of billable messages that were successfully received and sent by Ably, summed over all message types and transports. |
+| `messages.all.all.data` | Total data in messages successfully received and sent by Ably, summed over all message types and transports. |
+| `messages.all.all.uncompressedData` | Total data in messages successfully received and sent by Ably, excluding savings provided by delta compression. |
+| `messages.all.all.failed` | Total number of messages that failed. These are messages which did not succeed for some reason other than Ably explicitly refusing them, such as they were rejected by an external integration target, or a service issue on Ably's side. |
+| `messages.all.all.refused` | Total number of messages that were refused by Ably. For example, due to [rate limiting](/docs/platform/pricing/limits), malformed messages, or incorrect client permissions.|
+| `messages.all.messages.count` | Total message count, excluding presence and object messages. |
+| `messages.all.messages.billableCount` | Total billable message count, excluding presence and object messages. |
+| `messages.all.messages.data` | Total message size, excluding presence and object messages. |
+| `messages.all.messages.uncompressedData` | Total number of messages that failed. These are messages which did not succeed for some reason other than Ably explicitly refusing them, such as they were rejected by an external integration target, or a service issue on Ably's side. |
+| `messages.all.messages.failed` | Total number of messages excluding presence and object messages that failed. These are messages which did not succeed for some reason other than Ably explicitly refusing them, such as they were rejected by an external integration target, or a service issue on Ably's side. |
+| `messages.all.messages.refused` | Total number of messages excluding presence and object messages that were refused by Ably. For example, due to [rate limiting](/docs/platform/pricing/limits), malformed messages, or incorrect client permissions. |
+| `messages.all.presence.count` | Total presence message count. |
+| `messages.all.presence.billableCount` | Total billable presence message count. |
+| `messages.all.presence.data` | Total presence message size. |
+| `messages.all.presence.uncompressedData` | Total uncompressed presence message size, excluding delta compression. |
+| `messages.all.objects.count` | Total objects message count. |
+| `messages.all.objects.billableCount` | Total billable objects message count. |
+| `messages.all.objects.data` | Total objects message size. |
+| `messages.all.objects.uncompressedData` | Total uncompressed objects message size, excluding delta compression. |
+| `messages.all.messages.failed` | Total number of presence messages excluding presence and object messages that failed. These are messages which did not succeed for some reason other than Ably explicitly refusing them, such as they were rejected by an external integration target, or a service issue on Ably's side. |
+| `messages.all.messages.refused` | Total number of presence messages excluding presence and object messages that were refused by Ably. For example, due to [rate limiting](/docs/platform/pricing/limits), malformed messages, or incorrect client permissions. |
 
 ### Inbound messages <a id="inbound"/>
 
diff --git a/src/pages/docs/platform/account/app/api.mdx b/src/pages/docs/platform/account/app/api.mdx
index f7a3df90e0..2421063578 100644
--- a/src/pages/docs/platform/account/app/api.mdx
+++ b/src/pages/docs/platform/account/app/api.mdx
@@ -43,10 +43,10 @@ Set resource restrictions to control access to channels and queues, ranging from
 
 | Restriction | Description |
 | ----------- | ----------- |
-| **None** | No restrictions; access any channel or queue. |
-| **Only channels** | Access any channel but not queues. |
-| **Only queues** | Access any queue but not channels. |
-| **Selected channels and queues** | Specify explicit rules for access. |
+| None | No restrictions; access any channel or queue. |
+| Only channels | Access any channel but not queues. |
+| Only queues | Access any queue but not channels. |
+| Selected channels and queues | Specify explicit rules for access. |
 
 When specifying selected channels and queues, you can provide a comma-separated list of resources. Each resource can match a single channel (e.g., `channel-name`) or multiple channels using wildcards (e.g., `namespace:*`). Queues use the prefix `[queue]` and meta channels use `[meta]`. See [capabilities documentation](/docs/auth/capabilities#wildcards) for detailed wildcard syntax.
 
@@ -60,7 +60,7 @@ A single API key cannot support complex permission combinations, such as publish
 
 | Option | Description |
 | ------ | ----------- |
-| **Revocable tokens** | Implement security measures by setting shorter token lifetimes and enabling the ability to revoke tokens issued by the API key. |
+| Revocable tokens | Implement security measures by setting shorter token lifetimes and enabling the ability to revoke tokens issued by the API key. |
 
 ### Change your API key settings
 
diff --git a/src/pages/docs/platform/account/app/settings.mdx b/src/pages/docs/platform/account/app/settings.mdx
index 311ad766b3..c3091d00a7 100644
--- a/src/pages/docs/platform/account/app/settings.mdx
+++ b/src/pages/docs/platform/account/app/settings.mdx
@@ -17,7 +17,7 @@ The following provides an overview of your application settings.
 | **App ID** | This ID is automatically generated by Ably when you create an application. It is a critical part of your application's identity and is included in every API key and token issued for your application. |
 | **Name** | This is the user-defined name that you assigned when creating your application. It is helpful for quickly identifying the application among others in your dashboard, especially if you manage multiple applications. |
 | **Security** | Enabled by default, this option enforces Transport Layer Security (TLS) for all connections to your application. TLS protocol ensures data encryption and secure communication between clients and servers. |
-| **Enabled** | When an application is **disabled**, it no longer accepts new connections and deactivates all associated services. Clients cannot connect, send or receive messages, or use other Ably services. When **enabled**, the application allows new connections and activates all related services. |
+| **Enabled** | When an application is disabled, it no longer accepts new connections and deactivates all associated services. Clients cannot connect, send or receive messages, or use other Ably services. When enabled, the application allows new connections and activates all related services. |
 
 ### Channel rule configuration
 
@@ -25,15 +25,15 @@ The following explains the configuration rules for specific [namespaces](/docs/c
 
 | Section | Description |
 | ------- | ----------- |
-| **Namespace or channel ID** | Identify the specific namespace or channel to which this rule will apply. |
-| **Persist last message** | Stores the last message published on a channel for 365 days, accessible via the rewind mechanism. |
-| **Persist all messages** | Ably stores all messages for two minutes by default. Depending on your account package, this can be increased to 24 or 72 hours. It is also possible to persist the last message sent to a channel for a year. |
-| **Identified** | Requires clients to authenticate with a client ID to interact with channels in this namespace. |
-| **TLS only** | Restricts access to channels within this namespace to clients connected using TLS. |
-| **Push notifications enabled** | Enables publishing messages with a push payload, triggering native push notifications to registered devices. |
-| **Message interactions enabled** | Enables unique time serial fields in messages, enabling typed references between messages (e.g., implementing 'Likes' in a chat). |
-| **Server-side batching enabled** | Batches inbound messages on the server side before sending them to subscribers based on the configured policy. |
-| **Cancel** | Discards changes and closes the dialog without saving the new rule.|
+| Namespace or channel ID | Identify the specific namespace or channel to which this rule will apply. |
+| Persist last message | Stores the last message published on a channel for 365 days, accessible via the rewind mechanism. |
+| Persist all messages | Ably stores all messages for two minutes by default. Depending on your account package, this can be increased to 24 or 72 hours. It is also possible to persist the last message sent to a channel for a year. |
+| Identified | Requires clients to authenticate with a client ID to interact with channels in this namespace. |
+| TLS only | Restricts access to channels within this namespace to clients connected using TLS. |
+| Push notifications enabled | Enables publishing messages with a push payload, triggering native push notifications to registered devices. |
+| Message interactions enabled | Enables unique time serial fields in messages, enabling typed references between messages (e.g., implementing 'Likes' in a chat). |
+| Server-side batching enabled | Batches inbound messages on the server side before sending them to subscribers based on the configured policy. |
+| Cancel | Discards changes and closes the dialog without saving the new rule.|
 
 ### Protocol adapter settings
 
@@ -41,9 +41,9 @@ The following explains the configuration support for various communication proto
 
 | Settings  | Description |
 | --------- | ----------- |
-| **Pusher protocol support** | Provides compatibility with the Pusher protocol. |
-| **PubNub protocol support** | Provides compatibility with the PubNub protocol. |
-| **MQTT protocol support** | Provides compatibility with the MQTT protocol. |
+| Pusher protocol support | Provides compatibility with the Pusher protocol. |
+| PubNub protocol support | Provides compatibility with the PubNub protocol. |
+| MQTT protocol support | Provides compatibility with the MQTT protocol. |
 
 ### Actions
 
diff --git a/src/pages/docs/platform/account/app/stats.mdx b/src/pages/docs/platform/account/app/stats.mdx
index a5b2f6eb4a..9387307bd7 100644
--- a/src/pages/docs/platform/account/app/stats.mdx
+++ b/src/pages/docs/platform/account/app/stats.mdx
@@ -18,19 +18,19 @@ The following explains the statistics table metrics:
 
 | Metric | Description |
 |--------|-------------|
-| **Messages (billable)** | Total number of messages used. |
-| **Messages published (REST & Realtime)** | Number of messages sent via REST and Realtime. |
-| **Messages received (Realtime)** | Number of messages received. |
-| **Messages persisted (history)** | Number of messages retrieved from history. |
-| **Messages retrieved (history)** | Number of messages retrieved from history. |
-| **Presence events (REST & Realtime)** | Number of presence-related events via REST and Realtime. |
-| **Webhook / Function** | Number of messages transferred through functions and webhooks. |
-| **Ably Queue** | Number of messages transferred through queues. |
-| **Firehose** | Number of messages transferred through Firehose. |
-| **Push notifications** | Number of push notifications sent. |
-| **Data transferred** | Amount of data transferred, in bytes. |
-| **Peak connections** | Highest number of concurrent connections. |
-| **Peak channels** | Highest number of concurrent channels. |
+| Messages (billable) | Total number of messages used. |
+| Messages published (REST & Realtime) | Number of messages sent via REST and Realtime. |
+| Messages received (Realtime) | Number of messages received. |
+| Messages persisted (history) | Number of messages retrieved from history. |
+| Messages retrieved (history) | Number of messages retrieved from history. |
+| Presence events (REST & Realtime) | Number of presence-related events via REST and Realtime. |
+| Webhook / Function | Number of messages transferred through functions and webhooks. |
+| Ably Queue | Number of messages transferred through queues. |
+| Firehose | Number of messages transferred through Firehose. |
+| Push notifications | Number of push notifications sent. |
+| Data transferred | Amount of data transferred, in bytes. |
+| Peak connections | Highest number of concurrent connections. |
+| Peak channels | Highest number of concurrent channels. |
 
 <Aside data-type='note'>
 Download or view detailed app statistics for a more granular analysis, enabling deeper dives into specific metrics as needed.
diff --git a/src/pages/docs/platform/account/index.mdx b/src/pages/docs/platform/account/index.mdx
index c9883556ce..98b7715222 100644
--- a/src/pages/docs/platform/account/index.mdx
+++ b/src/pages/docs/platform/account/index.mdx
@@ -8,7 +8,7 @@ redirect_from:
 
 Manage all aspects of your account, from Two-factor authentication ([2FA](/docs/platform/account/2fa)) and billing to user management and personal preferences.
 
-Begin by [logging](https://ably.com/login) in to Ably through your browser. Once you're logged in, you have access to the Ably dashboard, where you can click on the **Account** navigation dropdown to access the account settings:
+Begin by [logging](https://ably.com/login) in to Ably through your browser. Once you're logged in, you have access to the Ably dashboard, where you can click on the Account navigation dropdown to access the account settings:
 
 ![Ably Account Settings](../../../../images/content/screenshots/dash/account.png)
 
@@ -48,7 +48,7 @@ Monitor your account's resource consumption with detailed usage statistics:
 
 Manage the [users](/docs/platform/account/users) associated with your account:
 
-* The account owner role has full permissions to manage the account, including inviting and removing users, and assigning roles like **developer**, **billing**, or **admin**.
+* The account owner role has full permissions to manage the account, including inviting and removing users, and assigning roles like developer, billing, or admin.
 * Multiple roles can be assigned to a single user.
 * Remove, or change user roles within an Ably account.
 
diff --git a/src/pages/docs/platform/account/sso.mdx b/src/pages/docs/platform/account/sso.mdx
index 32aac9346b..d5a214a5e5 100644
--- a/src/pages/docs/platform/account/sso.mdx
+++ b/src/pages/docs/platform/account/sso.mdx
@@ -43,10 +43,10 @@ In your Ably account dashboard:
 1. Log in to your [account](https://ably.com/accounts/any).
 2. Select **Settings** from the account navigation dropdown.
 3. Complete the SSO fields with the values obtained from Okta:
-    * **Identity Provider Single Sign-On URL**
-    * **Identity Provider Issuer**
-    * **X.509 Certificate**
-4. **Save** the authentication settings.
+    * Identity Provider Single Sign-On URL
+    * Identity Provider Issuer
+    * X.509 Certificate
+4. Save the authentication settings.
 
 ### Google Workspace <a id="google"/>
 
@@ -65,17 +65,17 @@ Use the [Google Workspace guide](https://support.google.com/a/answer/6087519?hl=
 
 1. Upload the Ably logo.
 2. Copy and paste the metadata configuration into your Ably account:
-    * **Identity Provider Single Sign-On URL**
-    * Use **Entity ID** from Google Workspace as the **Identity Provider Issuer** in your Ably account.
-    * **X.509 Certificate**
-3. **Save** the authentication setting changes in your Ably account.
+    * Identity Provider Single Sign-On URL
+    * Use Entity ID from Google Workspace as the Identity Provider Issuer in your Ably account.
+    * X.509 Certificate
+3. Save the authentication setting changes in your Ably account.
 4. Copy and paste the SAML settings from your Ably account into Google Workspace:
-    * Use **Single sign on URL** from your Ably account as the **ACS URL** in Google Workspace.
-    * Use **SP Entity Id** from your Ably account as the **Entity ID** in Google Workspace.
-    * Use **Entity ID** from Google Workspace as the **Identity Provider Issuer** in your Ably account.
-    * Select **EMAIL** for the **Name ID format** field.
-    * Select **Basic Information > Primary Email** for the **Name ID** field.
-5. Ably requires users' full names, so ensure **first_name** and **last_name** are populated.
+    * Use Single sign on URL from your Ably account as the ACS URL in Google Workspace.
+    * Use SP Entity Id from your Ably account as the Entity ID in Google Workspace.
+    * Use Entity ID from Google Workspace as the Identity Provider Issuer in your Ably account.
+    * Select EMAIL for the Name ID format field.
+    * Select Basic Information > Primary Email for the Name ID field.
+5. Ably requires users' full names, so ensure first_name and last_name are populated.
 6. Assign users to the newly created Google Workspace application.
 7. Test the SSO connection from Google Workspace.
 
diff --git a/src/pages/docs/platform/account/users.mdx b/src/pages/docs/platform/account/users.mdx
index 39f58a7a48..ad020cdaba 100644
--- a/src/pages/docs/platform/account/users.mdx
+++ b/src/pages/docs/platform/account/users.mdx
@@ -45,7 +45,7 @@ User roles have the following permissions:
 The following steps add or remove roles from a user within an Ably account. You must be an account owner or admin to change user roles:
 
 1. Log in to your [account](https://ably.com/accounts/any).
-2. Select **Users** from the account navigation dropdown.
+2. Select Users from the account navigation dropdown.
 3. Click the checkboxes corresponding to the roles you want to add or remove.
 
 <Aside data-type='note'>
@@ -57,13 +57,13 @@ Follow [this process](https://faqs.ably.com/can-i-change-my-ably-account-owner)
 The following steps invite a new user to your account. You must be an account owner or admin to invite new users:
 
 1. Log in to your [account](https://ably.com/accounts/any).
-2. Select **Users** from the account navigation dropdown.
-3. Click **Invite new user**.
-4. Enter the user's first name and email address, then click **Invite**.
+2. Select Users from the account navigation dropdown.
+3. Click Invite new user.
+4. Enter the user's first name and email address, then click Invite.
 5. The user can then follow the instructions emailed to them to join your account.
 
 <Aside data-type='note'>
-You can view the status of pending invitations from the **Users** page. You can also re-send or revoke an invitation.
+You can view the status of pending invitations from the Users page. You can also re-send or revoke an invitation.
 </Aside>
 
 ## Remove users from an account <a id="remove"/>
@@ -71,8 +71,8 @@ You can view the status of pending invitations from the **Users** page. You can
 The following steps remove a user from your account. You must be an account owner or admin to remove users:
 
 1. Log in to your [account](https://ably.com/accounts/any).
-2. Select **Users** from the account navigation dropdown.
-3. Click the **Remove** button next to the user to remove from the account.
+2. Select Users from the account navigation dropdown.
+3. Click the Remove button next to the user to remove from the account.
 4. Confirm the action when prompted.
 
 ## Delete your profile or leave an account <a id="leave"/>
@@ -82,8 +82,8 @@ The following steps delete your profile or remove yourself from an Ably account:
 1. Log in to your [account](https://ably.com/accounts/any).
 2. Go to [My Settings](https://ably.com/users/edit).
 3. [Disconnect SSO provider](#sso) if you use SSO to log in.
-4. Scroll to **Want to delete your profile?**
-5. Click **Start** to remove yourself from this account.
+4. Scroll to Want to delete your profile?
+5. Click Start to remove yourself from this account.
 
 <Aside data-type='important'>
 **Account owners:** Deleting your profile will delete the entire account and all data. You must first [transfer ownership](https://faqs.ably.com/can-i-change-my-ably-account-owner) to another user before deleting your profile.
@@ -104,24 +104,24 @@ You will not be able to delete your account until the 1st of the month following
 
 5. [Disconnect SSO provider](#sso) if you use SSO to log in.
 6. Go to your [My Settings](https://ably.com/users/edit) page.
-7. Scroll to **Want to delete your profile?**
+7. Scroll to Want to delete your profile?
 
 <Aside data-type='note'>
-If you are using an SSO login you'll see a **Contact us** link instead of a **Start** button. You'll need to [disconnect your SSO provider](#sso) first.
+If you are using an SSO login you'll see a Contact us link instead of a Start button. You'll need to [disconnect your SSO provider](#sso) first.
 </Aside>
 
-8. Click **Start** to proceed with permanently closing your account.
-9. On the proceeding **Close Your Ably Account** page, review the accounts for closure.
-10. Click **Close Account** to permanently deactivate your account.
+8. Click Start to proceed with permanently closing your account.
+9. On the proceeding Close Your Ably Account page, review the accounts for closure.
+10. Click Close Account to permanently deactivate your account.
 
 ### Disconnect SSO provider <a id="sso"/>
 
 If you use SSO (Single Sign-On) to log in to your Ably account, you must first set a password and disconnect your SSO provider before closing your account. The self-service account closure process requires a password to authenticate the closure request. The following steps set a password and disconnect your SSO provider:
 
 1. Log in to your [account](https://ably.com/accounts/any) using your current SSO method (Google or GitHub).
-2. Navigate to **Account** then [My Settings.](https://ably.com/users/edit)
-3. In the **Password** section, click **Change your password**.
-4. Click **Update my personal settings** to save the changes.
-5. Scroll to the **Login provider** section.
-6. Click **remove connection** next to the SSO provider/s you want to disconnect.
+2. Navigate to Account then [My Settings.](https://ably.com/users/edit)
+3. In the Password section, click Change your password.
+4. Click Update my personal settings to save the changes.
+5. Scroll to the Login provider section.
+6. Click remove connection next to the SSO provider/s you want to disconnect.
 7. After completing these steps, return to the instructions above to [close your account](#close).
diff --git a/src/pages/docs/platform/errors/codes.mdx b/src/pages/docs/platform/errors/codes.mdx
index 8af4bf8d46..7fa83a0b73 100644
--- a/src/pages/docs/platform/errors/codes.mdx
+++ b/src/pages/docs/platform/errors/codes.mdx
@@ -53,7 +53,7 @@ This error occurs when [revocation](/docs/auth/revocation#revocable-tokens) is e
 ## 40005: Invalid credentials <a id="40005"/>
 
 This error occurs when the [API key](/docs/auth#api-keys) or [token](/docs/auth/token) used to initialize the library is invalid.
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 
 * API key initialization:
 ** Ensure you are the account's **admin** or **owner**.
@@ -98,7 +98,7 @@ This error occurs when the SDK is unable to encode the [message payload](/docs/m
 
 An example of this error is when a client attempts to publish a payload that includes something that isn't serializable by an Ably SDK.
 
-**Resolution:** Try marshalling the payload as JSON or MsgPack before publishing.
+Resolution: Try marshalling the payload as JSON or MsgPack before publishing.
 
 ## 40015: Invalid deviceId <a id="40015"/>
 
@@ -141,7 +141,7 @@ This error occurs when the requested resource is invalid or already exists. It i
 
 Examples of this error include attempting to create a resource that already exists or providing an invalid resource name.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Ensure that an app with the requested name does not already exist in your account. If it does, use a different name.
 * Verify that the [capabilities](/docs/auth/capabilities#capability-operations) listed in the request are valid when creating an API key.
 
@@ -151,7 +151,7 @@ This error occurs when the requested operation is only available in a newer vers
 
 Examples of this error include attempting to use [channel objects](/docs/liveobjects) or message annotations, updates and deletes from an Ably SDK that does not support protocol version 2.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Upgrade the Ably SDK to a version that supports the requested operation.
 
 ## 40030: Invalid publish request (unspecified) <a id="40030"/>
@@ -162,7 +162,7 @@ This error occurs when a [publish request](/docs/pub-sub#publish) is malformed.
 
 This error occurs when a published message contains arbitrary fields in the [`extras`](/docs/api/realtime-sdk/messages#extras) payload that are not allowed by the Ably service. The `extras` field is reserved for specific objects related to Ably.
 
-**Resolution:** Place any additional data inside the `headers` field within `extras`. The `headers` field must be a flat object (`map<string, string>` or equivalent) with no nested structures. If using unenveloped Reactor rules, ensure that header names are in `ASCII`, as they will be converted into HTTP, AMQP, or other protocol headers.
+Resolution: Place any additional data inside the `headers` field within `extras`. The `headers` field must be a flat object (`map<string, string>` or equivalent) with no nested structures. If using unenveloped Reactor rules, ensure that header names are in `ASCII`, as they will be converted into HTTP, AMQP, or other protocol headers.
 
 The following example is a valid `extras` object:
 
@@ -187,7 +187,7 @@ This error occurs when [authentication](/docs/auth) credentials are invalid. The
 
 An example of this error is when a signed token request is invalid due to a mismatched cryptographic signature (MAC does not match) or when the `clientId` specified in the Ably SDK does not match the `clientId` in the access token.
 
-**Resolution:** Review your authentication setup and token request implementation. Ensure the following:
+Resolution: Review your authentication setup and token request implementation. Ensure the following:
 
 * The cryptographic signature (MAC) is correct - If a signed token request is invalid, Ably will reject it.
 * The API key used to generate the token request is accurate - Double-check for missing or extra characters.
@@ -219,13 +219,13 @@ This error occurs when an API key is used over a non-TLS (unencrypted) connectio
 
 Non-TLS transports can be inspected by network devices routing traffic between the client and Ably. Ably does not allow API key authentication over non-TLS connections. However, Ably supports [basic authentication](/docs/auth/basic) over TLS and [token authentication](/docs/auth/token) over non-TLS connections.
 
-**Resolution:** Select the appropriate [authentication mechanism](/docs/auth#selecting-auth) for your use case.
+Resolution: Select the appropriate [authentication mechanism](/docs/auth#selecting-auth) for your use case.
 
 ## 40104: Timestamp not current <a id="40104"/>
 
 This error occurs when a signed token request sent to Ably is too old. Ably enforces timestamp validation to ensure [`TokenRequest`](/docs/auth/token#token-request) remain valid for a limited time, reducing the risk of interception and misuse.
 
-**Resolutions:** The following steps can help resolve this issue:
+Resolutions: The following steps can help resolve this issue:
 * Ensure that the authentication servers clock is accurate when generating signed token requests.
 * If time synchronization is unreliable, set the `queryTime` [ClientOptions](/docs/api/rest-sdk/types#client-options) object to true when initializing the Ably client. This ensures Ably's server time is used.
 * Do not cache signed token requests on the authentication server or client. Each token request must be freshly generated and used immediately.
@@ -254,7 +254,7 @@ var ably = new Ably.Realtime({
 ```
 </Code>
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Ensure that each token request is unique and never cached by the authentication server or client.
 * Always generate a new token request each time authCallback is invoked.
 * If retrieving a token request over HTTP, prevent caching by using the Cache-Control header (no-cache, no-store, must-revalidate) or by adding a cache-busting query string parameter, where the number is regenerated for every request, for example, `?rnd=73849275`.
@@ -280,7 +280,7 @@ This error occurs when your account has exceeded the concurrent [channel limit](
 
 Examples of this error are when the application attempts to open more channels than the account allows, causing new channel creation to be blocked. Also, during development, an implementation error or bug causes unintended channel creation, leading to the limit being reached.
 
-**Resolution:** Detach unused channels to free up space for new ones.
+Resolution: Detach unused channels to free up space for new ones.
 
 ## 40115: Account restricted (request limit exceeded) <a id="40115"/>
 
@@ -298,7 +298,7 @@ This error occurs when the application has reached the maximum number of [API ke
 
 This error occurs when the [Ably API key](/docs/auth#api-keys) used to initialize the SDK is no longer valid because it has been [revoked](/docs/auth/revocation) by an admin of the application.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * If you are an admin, go to the [API keys tab](/docs/platform/account/app/api) in the Ably dashboard to check for valid keys. Use an existing valid key or create a new one with the necessary permissions.
 * If you are not an admin, request a new API key from an administrator or obtain a token request generated with a valid key.
 
@@ -306,7 +306,7 @@ This error occurs when the [Ably API key](/docs/auth#api-keys) used to initializ
 
 This error occurs when the [Ably API key](/docs/auth#api-keys) used to authorize a token [revocation](/docs/auth/revocation) request does not match the key that originally issued the token.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Ensure that the public API key ID used in the request matches the key that originally issued the token.
 * Verify that the `keyname` in the request path corresponds with the API key used for authentication.
 
@@ -314,7 +314,7 @@ This error occurs when the [Ably API key](/docs/auth#api-keys) used to authorize
 
 This error occurs when attempting to authenticate with a [token](/docs/auth/token) that has been [revoked](/docs/auth/revocation) and is no longer valid.
 
-**Resolution:** Ensure that you are using a valid, [non-revoked](/docs/auth/revocation). token for authentication. If needed, generate a new token and use it for authorization.
+Resolution: Ensure that you are using a valid, [non-revoked](/docs/auth/revocation). token for authentication. If needed, generate a new token and use it for authorization.
 
 ## 40142: Token expired <a id="40142"/>
 
@@ -322,7 +322,7 @@ This error occurs when the authentication [token](/docs/auth/token#refresh) has
 
 An example of this error is when a client attempts to authenticate with a token that has exceeded its time-to-live (TTL).
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Use [`authUrl`](/docs/auth/token#auth-url) or [`authCallback`](/docs/auth/token#auth-callback) in your client configuration to enable automatic token renewal.
 * If `authUrl` or `authCallback` is correctly configured, the client SDK will automatically renew the token when needed, so you may see this error temporarily before renewal occurs.
 
@@ -332,7 +332,7 @@ This error occurs when the provided token is not recognized as a valid Ably [tok
 
 An example of this error is when a JWT is incorrectly formatted or when an Ably token does not follow the expected structure, for example: `<appId>.<randomBytes>`. Any token that does not adhere to the correct format will not be recognized.
 
-**Resolution:** Validate the token format before using it for authentication. If creating a [JWT](/docs/auth/token#jwt), use a standard JWT library to ensure correct generation. If using an Ably token, verify that it matches the expected format as returned from the [`requestToken`](/docs/api/token-request-spec#examples) endpoint.
+Resolution: Validate the token format before using it for authentication. If creating a [JWT](/docs/auth/token#jwt), use a standard JWT library to ensure correct generation. If using an Ably token, verify that it matches the expected format as returned from the [`requestToken`](/docs/api/token-request-spec#examples) endpoint.
 
 ## 40144: Unexpected error decoding JWT; decode exception <a id="40144"/>
 
@@ -353,7 +353,7 @@ This error occurs when the client does not have permission to perform the reques
 
 An example of this error is when a token request includes an empty [capability object](/docs/auth/capabilities#capabilities-token), for example: `({})`, meaning the client has no assigned permissions, or when the requested [resource](/docs/auth/capabilities#wildcards) does not match the API key's allowed capabilities.
 
-**Resolution:** Ensure the [API key](/docs/auth#api-keys) supports the required [capabilities](/docs/auth/capabilities#capabilities-key) for the requested action.
+Resolution: Ensure the [API key](/docs/auth#api-keys) supports the required [capabilities](/docs/auth/capabilities#capabilities-key) for the requested action.
 
 ## 40161: Access denied to channel: namespace requires identified clients <a id="40161"/>
 
@@ -365,7 +365,7 @@ This error occurs when an authentication attempt using [`authUrl`](/docs/auth/to
 
 Examples of this error include when a `TokenRequest` callback times out after the default 10-second limit. Also, when he `authUrl` response is missing a Content-Type header has an unsupported Content-Type.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Check for network latency between the client and the authentication server.
 * Ensure the authentication server returns a valid Content-Type header and one of the supported content types:
 ** `application/json`
@@ -379,7 +379,7 @@ This error occurs when no [`authUrl`](/docs/auth/token#auth-url) or [`authCallba
 
 Tokens have a set expiration time, and once expired, they are no longer valid for communication with Ably. If `authUrl` or `authCallback` is configured, the SDK will automatically request a new token before expiration, ensuring uninterrupted operation.
 
-**Resolution:** Ensure that `authUrl` or `authCallback` is set in your client configuration. This allows the SDK to automatically request a new token before the current one expires.
+Resolution: Ensure that `authUrl` or `authCallback` is set in your client configuration. This allows the SDK to automatically request a new token before the current one expires.
 
 ## 40300: Forbidden <a id="40300"/>
 
@@ -394,7 +394,7 @@ The following are example for this error:
 
 By default, Ably apps require [TLS](/docs/platform/account/app/settings#channel-rule-configuration) for connections. This error occurs when a realtime SDK attempts to connect with TLS disabled (tls: false) while using token authentication.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Ensure that the `tls` [`ClientOption`](/docs/api/realtime-sdk?#client-options) is set to true when connecting.
 * If using [API key](/docs/platform/account/app/api#create) authentication, note that this scenario will result in a [`40103`](#40103) error instead.
 
@@ -404,7 +404,7 @@ This error occurs when an app belonging to a dedicated (private) [cluster](/docs
 
 An example of this error is when an app configured for a private cluster tries to connect via the default global endpoint.
 
-**Resolution:** Check your custom environment settings for all connecting clients to ensure they point to the correct private cluster endpoints.
+Resolution: Check your custom environment settings for all connecting clients to ensure they point to the correct private cluster endpoints.
 
 ## 40331: Unable to activate account due to placement constraint (incompatible environment) <a id="40331"/>
 
@@ -414,7 +414,7 @@ If a request arrives at an unexpected dedicated cluster or incorrect region, the
 
 An example of this error is when a client intended for a dedicated environment, such as acme, connects to the default global endpoint (`main.realtime.ably.net`) instead of the correct dedicated cluster endpoint (`acme.realtime.ably.net`). If the expected environment is not configured, requests may be rejected.
 
-**Resolution:** Verify that all connecting clients are configured with the correct custom environment settings to ensure they are pointing to the intended dedicated cluster.
+Resolution: Verify that all connecting clients are configured with the correct custom environment settings to ensure they are pointing to the intended dedicated cluster.
 
 ## 40332: Unable to activate account due to placement constraint (incompatible site) <a id="40332"/>
 
@@ -422,7 +422,7 @@ This error occurs when attempting to connect to an app for an account restricted
 
 An example of this error is when a client attempts to connect to an Ably app restricted to the EU region but does not specify the EU environment in the SDK configuration.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Ensure you are configured with the correct environment for your [region-restricted](https://faqs.ably.com/do-you-have-an-option-to-keep-my-data-in-europe-or-the-united-states) account.
 * If your account has a regional constraint, you should have been provided with a [custom](/docs/platform/account/enterprise-customization#setting-up-a-custom-environment) environment to pass to the [`ClientOptions`](/docs/getting-started/setup#options).
 * Verify that your connection settings match the region assigned to your account.
@@ -463,7 +463,7 @@ scope = channel:[YOUR APP ID]:[YOUR CHANNEL]
 ```
 </Code>
 
-**Resolution:** Wait for the rate limit period to reset before retrying. Optimize your message publishing to stay within allowed limits. Upgrade your package if higher throughput is required. Review your account limits to determine which restriction has been hit.
+Resolution: Wait for the rate limit period to reset before retrying. Optimize your message publishing to stay within allowed limits. Upgrade your package if higher throughput is required. Review your account limits to determine which restriction has been hit.
 
 ## 42911: Maximum account-wide instantaneous messages rate exceeded <a id="42911"/>
 
@@ -473,7 +473,7 @@ This error occurs when the number of [messages](/docs/platform/pricing/limits#me
 
 This error occurs when multiple concurrent [metadata REST requests](/docs/metadata-stats/metadata#rest) are made to retrieve a list of active channels. The API is rate-limited, allowing only one in-flight call at a time. Additional concurrent requests will be rejected with this error.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Ensure that only one request is in progress at any given time.
 * Implement request queuing or backoff strategies to avoid sending concurrent calls.
 * If you require enhanced channel [enumeration capabilities](/docs/api/rest-api#enumeration-rest), visit this page to request access to the preview API.
@@ -511,7 +511,7 @@ This error occurs as a result of a request not being handled due to an internal
 
 This error occurs when you previously [activated](/docs/push/configure/device#activate-devices) a device for push notifications with a specific `clientId`, but then changed the `clientId` used for authentication. The mismatch causes the error because the push notification setup tracks the `clientId` and other details to prevent accidental changes between app launches. The `clientId` is linked to registrations, such as subscribing by `clientId`.
 
-**Resolution:** If you need to change your client's `clientId`, deactivate and reactivate the device. This process triggers an internal `device.reset()` call, which clears and resets the old device details.
+Resolution: If you need to change your client's `clientId`, deactivate and reactivate the device. This process triggers an internal `device.reset()` call, which clears and resets the old device details.
 
 ## 70001: Reactor operation failed (POST operation failed) <a id="70001"/>
 
@@ -531,7 +531,7 @@ This error occurs when the rule worker is unable to access or retrieve data from
 
 An example of this error is misconfigurations in the database setup or inconsistencies between the provided configuration and the actual database schema or table names.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Verify the configuration of the outbox and nodes tables in the database to ensure they are correctly set up and match the rule definition.
 * Check for database connectivity issues and confirm that the database is accessible.
 * Ensure that the schema and table names align with the expected configuration.
@@ -540,7 +540,7 @@ An example of this error is misconfigurations in the database setup or inconsist
 
 This error occurs when a [MongoDB Change Stream](https://www.mongodb.com/docs/manual/changeStreams/#change-streams) event does not contain the required `_ablyChannel` field after being processed through the Change Stream pipeline. This field is essential for identifying the channel where the change event message will be published.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Ensure that the `_ablyChannel` field is present at the root level of the change event.
 * Avoid nesting it inside other sections, such as `$fullDocument._ablyChannel`.
 * The field must be part of the main structure of the change event to allow proper identification.
@@ -549,7 +549,7 @@ This error occurs when a [MongoDB Change Stream](https://www.mongodb.com/docs/ma
 
 This error occurs when the [MongoDB Change Stream](https://www.mongodb.com/docs/manual/changeStreams/#change-streams) fails to start due to an invalid pipeline. An example of this error is when the pipeline syntax does not conform to MongoDB's requirements or contains unrecognized operators.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Review the pipeline syntax for errors and ensure all operators are valid.
 * Adjust the pipeline to match MongoDB's accepted structure and syntax guidelines.
 
@@ -557,7 +557,7 @@ This error occurs when the [MongoDB Change Stream](https://www.mongodb.com/docs/
 
 This error occurs when the [MongoDB Change Stream](https://www.mongodb.com/docs/manual/changeStreams/#change-streams) cannot be resumed because the resume token document stored in MongoDB is not in the correct format.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Verify the format of the stored resume token document in MongoDB.
 * Ensure the token meets the expected structure and format required for MongoDB Change Stream resumption.
 * Refer to the MongoDB documentation for guidelines on properly storing and using resume tokens.
@@ -566,7 +566,7 @@ This error occurs when the [MongoDB Change Stream](https://www.mongodb.com/docs/
 
 This error occurs when the [MongoDB Change Stream](https://www.mongodb.com/docs/manual/changeStreams/#change-streams) resume token cannot be stored in the `ably` collection of the database.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Verify that the integration rule and MongoDB connection string are correctly configured.
 * Ensure the database user has the necessary read and write permissions for the `ably` collection.
 * Adjust permissions if needed to allow the token to be successfully stored.
@@ -589,7 +589,7 @@ This error occurs when a [connection](/docs/connect/states#connection-states) re
 
 If this error occurs, the client establishes a new connection instead of resuming the old one. Any messages sent during the gap will be missed, unless channel persistence is enabled.
 
-**Resolution:** Ensure that resume attempts occur within the two-minute window to successfully recover a connection. If message loss is a concern, use [history](/docs/api/realtime-sdk/history) to retrieve missed messages.
+Resolution: Ensure that resume attempts occur within the two-minute window to successfully recover a connection. If message loss is a concern, use [history](/docs/api/realtime-sdk/history) to retrieve missed messages.
 
 ## 80014: Connection timed out <a id="80014"/>
 
@@ -597,13 +597,13 @@ This error occurs when a realtime [connection](/docs/connect/states#connection-s
 
 The request will be automatically retried by the SDK.
 
-**Resolution:** If the client never connects to the [primary or fallback endpoints](https://faqs.ably.com/routing-around-network-and-dns-issues), check any firewall rules that may be blocking access to Ably's [endpoints](https://faqs.ably.com/if-i-need-to-whitelist-ablys-servers-from-a-firewall-which-ports-ips-and/or-domains-should-i-add).
+Resolution: If the client never connects to the [primary or fallback endpoints](https://faqs.ably.com/routing-around-network-and-dns-issues), check any firewall rules that may be blocking access to Ably's [endpoints](https://faqs.ably.com/if-i-need-to-whitelist-ablys-servers-from-a-firewall-which-ports-ips-and/or-domains-should-i-add).
 
 ## 80016: Operation on superseded connection <a id="80016"/>
 
 This error occurs when a browser [connection](/docs/connect/states#connection-states) upgrades from an HTTP (Comet) transport to WebSockets. It is logged by the client library when operations are performed on the older transport.
 
-**Resolution:** the following steps can help resolve this issue:
+Resolution: the following steps can help resolve this issue:
 * If this error only appears in logs, it is harmless and does not affect your application. No action is needed.
 * If you receive this error as a response to a request, contact Ably support with relevant logs and details, and they will investigate the issue.
 
@@ -611,7 +611,7 @@ This error occurs when a browser [connection](/docs/connect/states#connection-st
 
 This error occurs when a [connection](/docs/connect/states#connection-states) has been closed and an operation is attempted on it, such as calling a channel or presence method, for example, `channel.presence.update` while the connection is still in a closed state.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Check the client's connection state before performing operations to ensure the connection is active.
 * If the connection is closed, reconnect before making requests to avoid this error.
 
@@ -619,7 +619,7 @@ This error occurs when a [connection](/docs/connect/states#connection-states) ha
 
 This error occurs when an invalid `connectionId` is supplied.
 
-**Resolution:** If you are seeing resumes failing in ably-js, this was a known bug in ably-js versions 1.2.30 through 1.2.33. Upgrading to the latest version of ably-js should resolve the issue.
+Resolution: If you are seeing resumes failing in ably-js, this was a known bug in ably-js versions 1.2.30 through 1.2.33. Upgrading to the latest version of ably-js should resolve the issue.
 
 ## 80019: Auth server rejecting request <a id="80019"/>
 
@@ -629,7 +629,7 @@ This error occurs when the client library fails to obtain a token using the clie
 
 This error occurs when a client exceeds the [outbound](/docs/platform/pricing/limits#connection) subscribe message rate on a realtime connection.
 
-**Resolution:** The subscriber will receive an `UPDATE` [channel state change](/docs/api/realtime-sdk/channels#channel-state-change) event, indicating that continuity is lost. Use the [`resume`](/docs/connect/states#resume) flag to determine whether to recover missing messages or handle the failure accordingly.
+Resolution: The subscriber will receive an `UPDATE` [channel state change](/docs/api/realtime-sdk/channels#channel-state-change) event, indicating that continuity is lost. Use the [`resume`](/docs/connect/states#resume) flag to determine whether to recover missing messages or handle the failure accordingly.
 
 ## 80021: Max new connections rate exceeded <a id="80021"/>
 
@@ -639,13 +639,13 @@ This error occurs when the maximum allowed rate of new connections for an accoun
 
 This error can occur when using the Comet transport, where a `send` or `recv` request is sent to the system but reaches a different frontend instance than the one hosting the connection. This can happen due to a disruption on a frontend instance.
 
-**Resolution:** This is a non-fatal error, and no action is required. The transport will automatically drop and be re-initiated without any need for manual intervention.
+Resolution: This is a non-fatal error, and no action is required. The transport will automatically drop and be re-initiated without any need for manual intervention.
 
 ## 80023: Unable to resume connection from a different site <a id="80023"/>
 
 This error occurs when a disconnected client attempts to resume a [connection](/docs/connect) from a different site than the original connection. This typically happens when a client tries to [`resume`](/docs/connect/states#resume) via a fallback host.
 
-**Resolution:** Channel message continuity will not be possible in this scenario. Any messages sent while the client was disconnected will need to be retrieved using [history](/docs/storage-history/history).
+Resolution: Channel message continuity will not be possible in this scenario. Any messages sent while the client was disconnected will need to be retrieved using [history](/docs/storage-history/history).
 
 ## 90001: Channel operation failed (invalid channel state) <a id="90001"/>
 
@@ -653,7 +653,7 @@ This error occurs when an application attempts to perform an operation on a chan
 
 An example of this error is when an application tries to [publish](/docs/pub-sub#publish) a message or attach to a channel that is in a failed state due to a prior error. As a result, the operation fails because actions cannot be performed on a channel in this state.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Ensure the channel is in an appropriate state before performing any operations.
 * Use an Ably SDK to listen for channel state changes and handle operations accordingly.
 * Implement state change callbacks to trigger the intended operation when the channel is in a valid [state](/docs/channels/states).
@@ -668,13 +668,13 @@ This error occurs when a channel fails to [attach](/docs/channels/states#attach)
 
 Note: In older versions of the ably-java SDK, this error was incorrectly assigned to error code `91200`.
 
-**Resolution:** Adjust the `realtimeRequestTimeout` or `channelRetryTimeout` (depending on the SDK) to a higher value to allow more time for the attachment process.
+Resolution: Adjust the `realtimeRequestTimeout` or `channelRetryTimeout` (depending on the SDK) to a higher value to allow more time for the attachment process.
 
 ## 90010: Maximum number of channels per connection exceeded <a id="90010"/>
 
 This error occurs when a Realtime client [attaches](/docs/channels/states#attach) to more channels than the account allows on a single connection. This happens when channels are attached but never explicitly detached, causing the limit to be reached.
 
-**Resolution:** Review your channel [limits](/docs/platform/pricing/limits#channel) and ensure that channels are explicitly detached when no longer needed.
+Resolution: Review your channel [limits](/docs/platform/pricing/limits#channel) and ensure that channels are explicitly detached when no longer needed.
 
 ## 90021: Max channel creation rate exceeded <a id="90021"/>
 
@@ -697,7 +697,7 @@ This error occurs when the [maximum](/docs/platform/pricing/limits#hitting) numb
 
 This is a client-side issue that occurs when an up-to-date [presence](/docs/presence-occupancy/presence) set cannot be retrieved due to connection issues. It typically happens when calling `presence.get()` while the channel is in a suspended state, often caused by an interruption in the client's internet connection.
 
-**Resolution:** The following steps can help resolve this issue:
+Resolution: The following steps can help resolve this issue:
 * Ensure the client has an active connection before calling `presence.get()`.
 * If an outdated presence set is acceptable, set `waitForSync` to `false` to retrieve the presence data even when out of sync.
 
@@ -712,7 +712,7 @@ This error occurs when an object message used to represent [operations](/docs/li
 
 This error occurs when the maximum number of [objects](/docs/liveobjects) on the channel has exceeded the allowed [limit](/docs/platform/pricing/limits#channel) for the account or application.
 
-**Resolution:**
+Resolution:
 * Remove any unnecessary objects from the channel to free up space, for example by [removing](/docs/liveobjects/map#remove) any references to them.
 * [Upgrade](/docs/pricing) your package to increase the [limit](/docs/platform/pricing/limits#channel) on the allowed number of objects on the channel.
 
@@ -720,7 +720,7 @@ This error occurs when the maximum number of [objects](/docs/liveobjects) on the
 
 This error occurs when attempting to perform an [operation](/docs/liveobjects/concepts/operations) on a [tombstone](/docs/liveobjects/concepts/objects#tombstones) object (an object that has been marked as deleted).
 
-**Resolution:**
+Resolution:
 * Retry the operation on an object that is not a tombstone and is [reachable](/docs/liveobjects/concepts/objects#reachability) from the [root object](/docs/liveobjects/concepts/objects#root-object) .
 
 ## 92003: Unable to fetch object tree with tombstone object as root <a id="92003"/>
@@ -729,7 +729,7 @@ This error occurs when attempting to fetch an [object](/docs/liveobjects/concept
 
 You may encounter this error when [fetching objects](/docs/liveobjects/rest-api-usage#fetching-objects-get-children) via the REST API using the `children` query parameter, or if using the [compact](/docs/liveobjects/rest-api-usage#fetching-objects-compact) endpoint.
 
-**Resolution:**
+Resolution:
 * Retry the operation on an object that is not a tombstone and is [reachable](/docs/liveobjects/concepts/objects#reachability) from the [root object](/docs/liveobjects/concepts/objects#root-object) .
 
 ## 92004: Object not found <a id="92004"/>
@@ -738,7 +738,7 @@ This error occurs when attempting to access an [object](/docs/liveobjects/concep
 
 You may encounter this error when using the [REST API](/docs/liveobjects/rest-api-usage) or if calling methods on a [LiveMap](/docs/liveobjects/map) or [LiveCounter](/docs/liveobjects/map) instance that has been deleted.
 
-**Resolution:**
+Resolution:
 * Listen for [lifecycle events](/docs/liveobjects/lifecycle) on object instances to be notified when an object is deleted.
 * Retry the REST API request with a valid [object ID](/docs/liveobjects/rest-api-usage#updating-objects-by-id) or [path](/docs/liveobjects/rest-api-usage#updating-objects-by-path) that corresponds to an existing object.
 
@@ -746,14 +746,14 @@ You may encounter this error when using the [REST API](/docs/liveobjects/rest-ap
 
 This error occurs when no objects are found that match the specified [path](/docs/liveobjects/rest-api-usage#updating-objects-by-path) when using the REST API.
 
-**Resolution:**
+Resolution:
 * Ensure that the `path` is correctly specified and corresponds to an existing object.
 
 ## 92006: Unable to perform operation without objectId or path <a id="92006"/>
 
 This error occurs when attempting to perform an operation without providing either an [object ID](/docs/liveobjects/rest-api-usage#updating-objects-by-id) or [path](/docs/liveobjects/rest-api-usage#updating-objects-by-path) to identify the target object when using the REST API.
 
-**Resolution:**
+Resolution:
 * Ensure that the request includes either an `objectId` or a `path` parameter to specify the target object for the operation.
 
 ## 92007: Operation not processable on path <a id="92007"/>
@@ -762,7 +762,7 @@ This error occurs when the requested operation cannot be processed for the objec
 
 You may encounter this error when the type of the object located at the specified path does not support the specified operation (e.g. publishing a `COUNTER_INC` operation on a [LiveMap](/docs/liveobjects/map) instance).
 
-**Resolution:**
+Resolution:
 * Ensure that the operation is valid for the type of object at the specified path.
 
 ## 93001: Attempt to add an annotation listener without having requested the annotation_subscribe channel mode <a id="93001"/>
@@ -783,7 +783,7 @@ This error occurs when attempting to use [message annotations](/docs/messages/an
 
 This error occurs when calling [`spaces.get()`](/docs/spaces/space#options) without specifying a space name. The name parameter is required to retrieve a space.
 
-**Resolution:** Ensure that a valid space name is provided when calling `spaces.get()`:
+Resolution: Ensure that a valid space name is provided when calling `spaces.get()`:
 
 <Code>
 ```javascript
@@ -795,7 +795,7 @@ const space = await spaces.get('mySpaceName');
 
 This error occurs when calling a function that requires the client to be [entered](/docs/spaces/space#enter) into a space, but the client has not yet done so.
 
-**Resolution:** Ensure that `space.enter()` is called before performing operations that require the client to be inside the space:
+Resolution: Ensure that `space.enter()` is called before performing operations that require the client to be inside the space:
 
 <Code>
 ```javascript
diff --git a/src/pages/docs/platform/index.mdx b/src/pages/docs/platform/index.mdx
index 6eb2335895..73514638a8 100644
--- a/src/pages/docs/platform/index.mdx
+++ b/src/pages/docs/platform/index.mdx
@@ -44,22 +44,22 @@ Ably takes security seriously and has implemented comprehensive measures to prot
 
 ### Reporting security vulnerabilities
 
-If you believe you have found a security or privacy vulnerability that could impact Ably or our users, we encourage you to report it immediately by following our [Vulnerability Disclosure Policy](https://ably.com/disclosure).
+If you believe you have found a security or privacy vulnerability that could impact Ably or its users, report it immediately by following the [Vulnerability Disclosure Policy](https://ably.com/disclosure).
 
 #### How to report
 
-1. Submit detailed reports through our official disclosure process.
+1. Submit detailed reports through the official disclosure process.
 2. Each report should explain one vulnerability with clear impact assessment.
 3. Include step-by-step reproduction instructions or proof of concept.
 4. Use responsible disclosure practices.
 
 #### Bug bounty program
 
-Ably operates a bug bounty program that rewards security researchers for legitimate vulnerability reports. Successful researchers are recognized on our [acknowledgements page](https://ably.com/acknowledgements).
+Ably operates a bug bounty program that rewards security researchers for legitimate vulnerability reports. Successful researchers are recognized on the [acknowledgements page](https://ably.com/acknowledgements).
 
 #### Legal protection
 
-Activities conducted in accordance with our vulnerability disclosure policy are considered authorized conduct. Ably will not initiate legal action against researchers operating in good faith within our policy guidelines.
+Activities conducted in accordance with the vulnerability disclosure policy are considered authorized conduct. Ably will not initiate legal action against researchers operating in good faith within policy guidelines.
 
 For questions regarding coordinated disclosure, contact [security@ably.com](mailto:security@ably.com).
 
diff --git a/src/pages/docs/protocols/index.mdx b/src/pages/docs/protocols/index.mdx
index 591fc54feb..33484d38b0 100644
--- a/src/pages/docs/protocols/index.mdx
+++ b/src/pages/docs/protocols/index.mdx
@@ -9,7 +9,7 @@ Ably SDKs are the recommended method for connecting to Ably because they offer s
 
 Protocol adapters offer an alternative method for connecting to Ably. The advantage to protocol adapters is that they require fewer resources in terms of memory and network overhead such as in smaller footprint devices, or on a platform where an Ably SDK isn't available such as an Arduino-based IoT wearable. The potential drawback to consider when evaluating protocol adapters is that they do not support the full set of Ably features, for example the MQTT protocol adapter does not support presence, and the SSE protocol adapter does not support automatic token renewal.
 
-At Ably we have designed our own set of protocols that allow us to deliver unparalleled service continuity guarantees. This would not be possible without tight integration of the protocol, our platform and our infrastructure. However, we recognize that there are many valid use cases where other protocols are more suitable. As such, we provide a protocol adapter service that runs on our servers that allows customers to use the right protocol for their use case, yet still benefit from the robust service Ably can provide.
+Ably has designed its own set of protocols that deliver unparalleled service continuity guarantees. This would not be possible without tight integration of the protocol, platform and infrastructure. However, there are many valid use cases where other protocols are more suitable. As such, Ably provides a protocol adapter service that runs on its servers that allows customers to use the right protocol for their use case, yet still benefit from the robust service Ably can provide.
 
 Protocol adapters ensure that any number of protocols can be mixed yet are interoperable. For example, you could publish sensor data using MQTT, yet subscribe to this information reliably in your mobile apps using Ably client libraries.
 
@@ -30,7 +30,7 @@ Ably supports multiple protocols in addition to the native WebSockets-based one:
 
 MQTT (MQ Telemetry Transport) is a publish/subscribe, lightweight messaging protocol designed for constrained devices and low-bandwidth networks. One of the major uses of MQTT is with IoT (Internet of Things), where these principles are key to having effective communication between various devices.
 
-MQTT can also be used with Ably as a basic event broker or if we don't have an SDK for your target platform. However, without an SDK you don't get access to the full range of platform features and data guarantees.
+MQTT can also be used with Ably as a basic event broker or if there isn't an SDK for your target platform. However, without an SDK you don't get access to the full range of platform features and data guarantees.
 
 Read more in the [MQTT section](/docs/protocols/mqtt).