docs: update tenants, assets, and admin user guide

packages/documentation/src/content/docs/admin/admin-user-guide.mdx

@@ -196,9 +196,9 @@ The Edit Tenant page includes the following sections:
 |                               | Email       | The tenant's email address.                                                                 |
 | Identity Provider Information | Consent URL | The URL for the tenant's identity provider consent endpoint.                                |
 |                               | Secret      | The secret for the tenant's identity provider.                                              |
-| Sensitive Information         | API Secret  | A unique identifier assigned by Rafiki when the tenant was created. This cannot be changed. |
+| Sensitive Information         | API Secret  | The tenant's API credential used to authenticate requests. Read-only for operators.         |
 
-You can modify the public name, email, consent URL, and secret for a tenant. The tenant ID and API secret are read-only.
+You can modify the public name, email, consent URL, and secret for a tenant. The tenant ID cannot be changed. The API secret is read-only for operators but can be rotated by the tenants when logged in under their own account.
 
 After editing any of the preceding fields, select **Save** to commit those changes.
 
@@ -215,7 +215,9 @@ The Assets page allows you to manage assets in your Rafiki instance, including v
 On this page, all configured assets appear in a table where you can view the asset ID, the asset code, the scale, and the withdrawal threshold. The list of assets shows only those for the current tenant, as determined by your API credentials.
 
 :::note
-Operators can create, edit, and delete assets for any tenant. Tenants can only view and manage their own assets.
+Operators can create, view, edit, and delete both their own assets and those that belong to any tenant. 
+
+Tenants can create, view, edit, and delete their own assets only.
 :::
 
 <LargeImg
@@ -266,6 +268,10 @@ While the Edit Asset page shares fields with the Create Asset page, it also incl
 
 After editing any of the preceding fields in the General Information or Sending Fee sections, select **Save** to commit those changes.
 
+:::note
+The asset code and scale cannot be modified after creation. These fields remain read-only when viewing or editing an existing asset.
+:::
+
 #### Delete asset
 
 The final section of the Edit Asset page is the irreversible action of deleting an asset. Select **Delete asset** to make this change.

packages/documentation/src/content/docs/integration/requirements/assets.mdx

@@ -13,15 +13,14 @@ An asset represents an item of value that can be transferred via the Interledger
 
 **Permissions**
 
-- Operators can create assets for any tenant
-- Operators can view any asset
-- Operators can edit and delete assets that belong to any tenant
-- Tenants can only view their own assets
-- Tenants can only edit and delete their own assets
-- Tenants cannot create assets
+Operators can create, view, edit, and delete both their own assets and those that belong to any tenant.
+
+Tenants can create, view, edit, and delete their own assets only.
 
 ## Add an asset
 
+Use the `createAsset` mutation to register a new asset with your Rafiki instance.
+
 <Tabs>
   <TabItem label="Operation">
     ```graphql
@@ -81,3 +80,139 @@ The `asset` object in the response will include the `tenantId` of the tenant to
 
   </TabItem>
 </Tabs>
+
+## Update an asset
+
+Once an asset has been created, you may need to adjust its operational threshold values. You can use the `updateAsset` mutation to modify the `liquidityThreshold`.
+
+This threshold determines when Rafiki triggers low‑liquidity notifications or webhooks, but does not directly deposit or withdraw asset liquidity.
+
+For information about adding or removing liquidity, see [Asset liquidity](/admin/liquidity/asset-liquidity).
+
+<Tabs>
+  <TabItem label="Operation">
+    ```graphql
+    mutation UpdateAsset($input: UpdateAssetInput!) {
+      updateAsset(input: $input) {
+        asset {
+          id
+          code
+          scale
+          withdrawalThreshold
+          liquidityThreshold
+          tenantId
+        }
+      }
+    }
+    ```
+  </TabItem>
+
+  <TabItem label="Variables">
+    The input object for the update operation requires the asset `id`. Only the threshold fields are editable; all other fields are immutable.
+
+    ```json
+    {
+      "input": {
+        "id": "b3dffeda-1e0e-47d4-82a3-69b1a622eeb9",
+        "withdrawalThreshold": 100,
+        "liquidityThreshold": 500
+      }
+    }
+    ```
+
+    For more information about this mutation’s input object, see [`UpdateAssetInput`](/apis/graphql/backend/#definition-UpdateAssetInput).
+
+    :::note[Tenant ID and HMAC-signed request headers]
+    <TenantIdHmacNote />
+    :::
+
+  </TabItem>
+
+  <TabItem label="Response">
+    ```json
+    {
+      "data": {
+        "updateAsset": {
+          "asset": {
+            "id": "b3dffeda-1e0e-47d4-82a3-69b1a622eeb9",
+            "code": "USD",
+            "scale": 2,
+            "withdrawalThreshold": 100,
+            "liquidityThreshold": 500,
+            "tenantId": "3fa85f64-5717-4562-b3fc-2c963f66afa6"
+          }
+        }
+      }
+    }
+    ```
+
+:::note[Tenant ID in the asset response]
+The `asset` object in the response will include the `tenantId` of the tenant to which the asset belongs. This `tenantId` is used to identify the tenant when processing requests related to the asset.
+:::
+
+  </TabItem>
+</Tabs>
+
+---
+
+## Delete an asset
+
+Deleting an asset removes it from active use within a Rafiki instance.
+
+You can only delete an asset if it's not associated with any peers or wallet addresses. Rafiki prevents deleting any asset that's still in use.
+
+<Tabs>
+  <TabItem label="Operation">
+    ```graphql
+    mutation DeleteAsset($input: DeleteAssetInput!) {
+      deleteAsset(input: $input) {
+        asset {
+          id
+          code
+          scale
+          tenantId
+        }
+      }
+    }
+    ```
+  </TabItem>
+
+  <TabItem label="Variables">
+    ```json
+    {
+      "input": {
+        "id": "b3dffeda-1e0e-47d4-82a3-69b1a622eeb9"
+      }
+    }
+    ```
+
+    For more information about this mutation’s input object, see [`DeleteAssetInput`](/apis/graphql/backend/#definition-DeleteAssetInput).
+
+    :::note[Tenant ID and HMAC-signed request headers]
+    <TenantIdHmacNote />
+    :::
+
+  </TabItem>
+
+  <TabItem label="Response">
+    ```json
+    {
+      "data": {
+        "deleteAsset": {
+          "asset": {
+            "id": "b3dffeda-1e0e-47d4-82a3-69b1a622eeb9",
+            "code": "USD",
+            "scale": 2,
+            "tenantId": "3fa85f64-5717-4562-b3fc-2c963f66afa6"
+          }
+        }
+      }
+    }
+    ```
+
+:::note[Tenant ID in the asset response]
+The `asset` object in the response will include the `tenantId` of the tenant to which the asset belongs. This `tenantId` is used to identify the tenant when processing requests related to the asset.
+:::
+
+  </TabItem>
+</Tabs>

packages/documentation/src/content/docs/integration/requirements/peers.mdx

@@ -21,12 +21,9 @@ Whether you are using the Backend Admin API or the Rafiki Admin application, the
 
 **Permissions**
 
-- Operators can create peers for any tenant
-- Operators can view any peer
-- Operators can edit and delete peers that belong to any tenant
-- Tenants can only view their own peers
-- Tenants can only edit and delete their own peers
-- Tenants cannot create peers
+Operators can create, view, edit, and delete both their own peers and those that belong to any tenant.
+
+Tenants can view, edit, and delete only their own peers. They cannot create peers.
 
 ## Perform prerequisites
 

packages/documentation/src/content/docs/integration/requirements/tenants.mdx

@@ -54,6 +54,10 @@ Only operators can create, edit, and delete tenants.
 
 ## Create a tenant
 
+Use the `createTenant` mutation to register a new tenant within your Rafiki instance.
+
+This operation is restricted to operators. When a new tenant is created, Rafiki automatically assigns a default ILP address, applies standard configuration settings, and registers the tenant with the `auth` service. Operators can also provide initial custom settings during creation.
+
 After you create a tenant, securely communicate the tenant `id` and `apiSecret` to the tenant out-of-band.
 
 <Tabs>
@@ -111,6 +115,10 @@ After you create a tenant, securely communicate the tenant `id` and `apiSecret`
 
 ## Update a tenant
 
+Use the `updateTenant` mutation to modify an existing tenant’s configuration.
+
+Tenants can update their own profile details such as the public name, contact email, or identity provider URLs. Tenants can also rotate their own `apiSecret` using this mutation. Operators can update any tenant’s information, but cannot modify a tenant's `apiSecret` on their behalf.
+
 <Tabs>
   <TabItem label="Operation">
     ```graphql
@@ -166,6 +174,10 @@ After you create a tenant, securely communicate the tenant `id` and `apiSecret`
 
 ## Delete a tenant
 
+Use the `deleteTenant` mutation to remove a tenant from Rafiki. Only operators can perform this action.
+
+Deleting a tenant marks the tenant as deleted and removes all associated tenant settings and authentication entries. After deletion, the tenant can no longer be used to create or manage resources in Rafiki.
+
 <Tabs>
   <TabItem label="Operation">
     ```graphql