update descriptions

Author: ranbel

src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx

@@ -18,6 +18,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl
 
 - Private IPs and hostnames are reachable over Cloudflare WARP, Magic WAN or Browser Isolation. For more details, refer to [Connect a private network](/cloudflare-one/connections/connect-networks/private-net/).
 - Private hostnames route to your custom DNS resolver through [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) or [Gateway resolver policies](/cloudflare-one/policies/gateway/resolver-policies/).
+- (Optional) Turn on [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) if you want to use Access JWTs to manage [HTTPS application sessions](#https-applications).
 
 ## Add your application to Access
 
@@ -57,7 +58,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl
 
 12. Select **Next**.
 
-13. (Optional) Configure advanced settings. These settings only apply to private hostnames and require Gateway TLS decryption.
+13. (Optional) Configure advanced settings. These settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/).
 
 		- [**Cross-Origin Resource Sharing (CORS) settings**](/cloudflare-one/identity/authorization-cookie/cors/)
 		- [**Cookie settings**](/cloudflare-one/identity/authorization-cookie/#cookie-settings)
@@ -70,14 +71,17 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl
 
 Users can now connect to your private application after authenticating with Cloudflare Access.
 
-## Login page
+## Authentication flow
 
-### Browser notification
+### HTTPS applications
 
-To prompt users to login in the browser, [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) must be enabled. When the user connects to your private hostname or IP, Access will open your [login page](/cloudflare-one/applications/login-page/) and issue an authorization JWT to your origin.
+If [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) is turned on and a user is accessing an HTTPS application on port `443`, Cloudflare Access will present a login page in the browser and issue an [application token](/cloudflare-one/identity/authorization-cookie/application-token/) to your origin. This is the same cookie-based authentication flow used by [self-hosted public apps](/cloudflare-one/applications/configure-apps/self-hosted-public-app/).
 
-### System notification
-If you do not turn on [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/), users will receive a pop-up notification from the WARP client and all session management will be handled in the WARP client.
+If [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) is turned off, session management is [handled in the WARP client](#non-https-applications) instead of in the browser.
+
+### Non-HTTPS applications
+
+The WARP client manages sessions for all non-HTTPS applications. Users will receive an `Authentication required` pop-up notification from the WARP client. When the user selects the notification, WARP will open a browser window with your Access login page.
 
 <Render file="gateway/client-notifications-os" product="cloudflare-one" />