Clarify APNs sandbox endpoint requirements

src/pages/docs/platform/account/control-api.mdx

@@ -240,6 +240,14 @@ curl --location --request POST 'https://control.ably.net/v1/accounts/${ACCOUNT_I
 ```
 </Code>
 
+<Aside data-type='note'>
+The `apnsUseSandboxEndpoint` field controls which [APNs endpoint](https://developer.apple.com/documentation/usernotifications/sending-notification-requests-to-apns) Ably uses to deliver push notifications. Set to `true` for the sandbox endpoint `api.sandbox.push.apple.com` or `false` for the production endpoint `api.push.apple.com`.
+
+You must specify this field for both token-based (.p8) and certificate-based (.p12) authentication. Use sandbox when testing with development builds and production for App Store or TestFlight distribution.
+
+For certificate-based authentication, ensure the endpoint matches your certificate type. Use a development certificate for sandbox, and a distribution certificate for production.
+</Aside>
+
 See the [API reference](/docs/api/control-api/#tag/apps/paths/~1accounts~1{account_id}~1apps/post) for information on the request body.
 
 Sample response:

src/pages/docs/push/configure/device.mdx

@@ -43,9 +43,23 @@ To enable push notifications for iOS devices, you need to configure your app to
 1. Use [token-based](#token) authentication (recommended) with a **.p8 file**.
 2. Use [certificate-based](#cert) authentication with a **.p12** or **.cer** file.
 
-#### Token-based authentication <a id="token"/>
+#### Token-based authentication (recommended) <a id="token"/>
 
-Use token-based authentication for new or updated apps because it is easier to manage and does not require yearly renewal like certificates. Token-based authentication relies on a private key (.p8) instead of .p12 certificates, making it the preferred choice for modern push notification setups.
+Use token-based authentication for new or updated apps. Apple recommends this approach and is [actively deprecating certificate-based authentication](https://developer.apple.com/documentation/usernotifications/establishing-a-token-based-connection-to-apns).
+
+Token-based authentication is recommended for the following reasons:
+
+| Aspect | Certificate (.p12) | Token (.p8) |
+| ------ | ------------------ | ----------- |
+| Expiration | Expires annually, requires renewal | Never expires, unless manually revoked |
+| Scope | One certificate per app | One key works for all apps in your team |
+| Management | Manual renewal, export from Keychain | Simpler, easier CI/CD automation |
+
+<Aside data-type='note'>
+For both authentication methods, you must specify whether to use the sandbox or production APNs endpoint. Use sandbox when testing with development builds from Xcode, and production when distributing via App Store or TestFlight.
+
+You are responsible for matching the endpoint selection with your certificate type. Use a development certificate for sandbox, and a distribution certificate for production.
+</Aside>
 
 * **Download the .p8 file**:
   * Go to the [Apple Developer Program](https://developer.apple.com/documentation/usernotifications/establishing-a-token-based-connection-to-apns) and sign in.