diff --git a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname.mdx b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname.mdx
index 7a20a1d4c6d73f..ec4832da99ab4b 100644
--- a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname.mdx
+++ b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname.mdx
@@ -46,21 +46,17 @@ In the API response, save the certificate `id` since it will be required in step
 	product="ssl"
 />
 
-## 3. Enable Authenticated Origin Pulls (globally)
-
-<Render file="aop-enable-feature" product="ssl" />
-
-## 4. Enable Authenticated Origin Pulls for the hostname
+## 3. Enable Authenticated Origin Pulls for the hostname
 
 Use the Cloudflare API to send a [`PUT`](/api/resources/origin_tls_client_auth/subresources/hostnames/methods/update/) request to enable Authenticated Origin Pulls for specific hostnames.
 
 If you had set up logging on your origin during step 2, test and confirm that Authenticated Origin Pulls is working.
 
-## 5. Enforce validation check on your origin
+## 4. Enforce validation check on your origin
 
 <Render file="aop-enforce-validation" product="ssl" />
 
-## 6. (Optional) Set up alerts for hostname-level Authenticated Origin Pulls certificates
+## 5. (Optional) Set up alerts for hostname-level Authenticated Origin Pulls certificates
 
 You can configure alerts to receive notifications before your AOP certificates expire.
 
diff --git a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level.mdx b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level.mdx
index 1e97f1a984b9a1..7da14d925001b5 100644
--- a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level.mdx
+++ b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level.mdx
@@ -54,17 +54,11 @@ Using a custom certificate is required if you need your domain to be [FIPS](http
 
 <Render file="aop-enable-feature" product="ssl" />
 
-## 4. Enable Authenticated Origin Pulls for all hostnames in a zone
-
-Use the Cloudflare API to send a [`PUT`](/api/resources/origin_tls_client_auth/subresources/settings/methods/update/) request to enable zone-level authenticated origin pulls.
-
-If you had set up logging on your origin during [step 2](#2-configure-origin-to-accept-client-certificates), test and confirm that Authenticated Origin Pulls is working.
-
-## 5. Enforce validation check on your origin
+## 4. Enforce validation check on your origin
 
 <Render file="aop-enforce-validation" product="ssl" />
 
-## 6. (Optional) Set up alerts for zone-level Authenticated Origin Pulls certificates
+## 5. (Optional) Set up alerts for zone-level Authenticated Origin Pulls certificates
 
 You can configure alerts to receive notifications before your AOP certificates expire.
 
