diff --git a/public/__redirects b/public/__redirects
index 40c933e8be6dddc..1aaf7d55bb5d017 100644
--- a/public/__redirects
+++ b/public/__redirects
@@ -2382,6 +2382,10 @@
 
 # Cloudflare One nav revamp
 /cloudflare-one/connections/ /cloudflare-one/ 301
+/cloudflare-one/identity/users/ /cloudflare-one/team-and-resources/users/ 301
+/cloudflare-one/identity/users/session-management/ /cloudflare-one/team-and-resources/users/session-management/ 301
+/cloudflare-one/identity/users/seat-management/ /cloudflare-one/team-and-resources/users/seat-management/ 301
+/cloudflare-one/identity/users/scim/ /cloudflare-one/team-and-resources/users/scim/ 301
 /cloudflare-one/connections/connect-devices/* /cloudflare-one/team-and-resources/devices/:splat 301
 /cloudflare-one/connections/connect-networks/* /cloudflare-one/networks/connectors/cloudflare-tunnel/:splat 301
 /cloudflare-one/policies/gateway/* /cloudflare-one/traffic-policies/:splat 301
@@ -2391,7 +2395,7 @@
 /cloudflare-one/identity/one-time-pin/ /cloudflare-one/integrations/identity-providers/one-time-pin/ 301
 /cloudflare-one/identity/idp-integration/* /cloudflare-one/integrations/identity-providers/:splat 301
 /cloudflare-one/identity/devices/service-providers/* /cloudflare-one/integrations/service-providers/:splat 301
-/cloudflare-one/applications/configure-apps/* /cloudflare-one/access-controls/applications/configure-apps/:splat 301
+/cloudflare-one/applications/configure-apps/* /cloudflare-one/access-controls/applications/http-apps/:splat 301
 /cloudflare-one/applications/non-http/* /cloudflare-one/access-controls/applications/non-http/:splat 301
 
 # Learning paths
diff --git a/src/content/changelog/access/2025-03-03-saml-oidc-fields-saml-transformations.mdx b/src/content/changelog/access/2025-03-03-saml-oidc-fields-saml-transformations.mdx
index dfc6ba3cca6a23f..9bab43a83bfcec1 100644
--- a/src/content/changelog/access/2025-03-03-saml-oidc-fields-saml-transformations.mdx
+++ b/src/content/changelog/access/2025-03-03-saml-oidc-fields-saml-transformations.mdx
@@ -6,7 +6,7 @@ products:
   - access
 ---
 
-[Access for SaaS applications](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/) now include more configuration options to support a wider array of SaaS applications.
+[Access for SaaS applications](/cloudflare-one/access-controls/applications/http-apps/saas-apps/) now include more configuration options to support a wider array of SaaS applications.
 
 **SAML and OIDC Field Additions**
 
diff --git a/src/content/changelog/access/2025-04-09-SCIM-provisioning-logs.mdx b/src/content/changelog/access/2025-04-09-SCIM-provisioning-logs.mdx
index 3ddf64ca8720659..1df3162291f0c79 100644
--- a/src/content/changelog/access/2025-04-09-SCIM-provisioning-logs.mdx
+++ b/src/content/changelog/access/2025-04-09-SCIM-provisioning-logs.mdx
@@ -6,7 +6,7 @@ products:
   - access
 ---
 
-[Cloudflare Zero Trust SCIM provisioning](/cloudflare-one/identity/users/scim) now has a full audit log of all create, update and delete event from any SCIM Enabled IdP. The [SCIM logs](/cloudflare-one/insights/logs/scim-logs/) support filtering by IdP, Event type, Result and many more fields. This will help with debugging user and group update issues and questions.
+[Cloudflare Zero Trust SCIM provisioning](/cloudflare-one/team-and-resources/users/scim) now has a full audit log of all create, update and delete event from any SCIM Enabled IdP. The [SCIM logs](/cloudflare-one/insights/logs/scim-logs/) support filtering by IdP, Event type, Result and many more fields. This will help with debugging user and group update issues and questions.
 
 SCIM logs can be found on the Zero Trust Dashboard under **Logs** -> **SCIM provisioning**.
 
diff --git a/src/content/changelog/access/2025-08-26-access-mcp-oauth.mdx b/src/content/changelog/access/2025-08-26-access-mcp-oauth.mdx
index ac854ff0b5c970b..609ae0082925797 100644
--- a/src/content/changelog/access/2025-08-26-access-mcp-oauth.mdx
+++ b/src/content/changelog/access/2025-08-26-access-mcp-oauth.mdx
@@ -8,6 +8,6 @@ products:
 
 You can now control who within your organization has access to internal MCP servers, by putting internal MCP servers behind [Cloudflare Access](/cloudflare-one/access-controls/policies/).
 
-[Self-hosted applications](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/linked-apps/) in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes.
+[Self-hosted applications](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/linked-apps/) in Cloudflare Access now support OAuth for MCP server authentication. This allows Cloudflare to delegate access from any self-hosted application to an MCP server via OAuth. The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the authorized user, using that user's specific permissions and scopes.
 
 For example, if you have an MCP server designed for internal use within your organization, you can configure Access policies to ensure that only authorized users can access it, regardless of which MCP client they use. Support for internal, self-hosted MCP servers also works with MCP server portals, allowing you to provide a single MCP endpoint for multiple MCP servers. For more on MCP server portals, read the [blog post](https://blog.cloudflare.com/zero-trust-mcp-server-portals/) on the Cloudflare Blog.
diff --git a/src/content/changelog/access/2025-08-26-mcp-server-portals.mdx b/src/content/changelog/access/2025-08-26-mcp-server-portals.mdx
index 8e86f8a344fbd24..659564bf3d6ff7f 100644
--- a/src/content/changelog/access/2025-08-26-mcp-server-portals.mdx
+++ b/src/content/changelog/access/2025-08-26-mcp-server-portals.mdx
@@ -8,7 +8,7 @@ products:
 
 ![MCP server portal](~/assets/images/changelog/access/mcp-server-portal.png)
 
-An [MCP server portal](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/mcp-portals/) centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. Key benefits include:
+An [MCP server portal](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/mcp-portals/) centralizes multiple Model Context Protocol (MCP) servers onto a single HTTP endpoint. Key benefits include:
 
 - **Streamlined access to multiple MCP servers**: MCP server portals support both unauthenticated MCP servers as well as MCP servers secured using any third-party or custom OAuth provider. Users log in to the portal URL through Cloudflare Access and are prompted to authenticate separately to each server that requires OAuth.
 - **Customized tools per portal**: Admins can tailor an MCP portal to a particular use case by choosing the specific tools and prompt templates that they want to make available to users through the portal. This allows users to access a curated set of tools and prompts — the less external context exposed to the AI model, the better the AI responses tend to be.
diff --git a/src/content/docs/agents/model-context-protocol/authorization.mdx b/src/content/docs/agents/model-context-protocol/authorization.mdx
index 642f75182f95c4e..a58a9abf8d1adf4 100644
--- a/src/content/docs/agents/model-context-protocol/authorization.mdx
+++ b/src/content/docs/agents/model-context-protocol/authorization.mdx
@@ -81,7 +81,7 @@ Remember — [authentication is different from authorization](https://www.cloud
 
 You can use Cloudflare Access as a Single Sign-On (SSO) provider to authorize users to your MCP server. Users log in using a [configured identity provider](/cloudflare-one/integrations/identity-providers/) or a [one-time PIN](/cloudflare-one/integrations/identity-providers/one-time-pin/), and they are only granted access if their identity matches your [Access policies](/cloudflare-one/access-controls/policies/).
 
-To deploy an [example MCP server](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) with Cloudflare Access as the OAuth provider, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp/).
+To deploy an [example MCP server](https://github.com/cloudflare/ai/tree/main/demos/remote-mcp-cf-access) with Cloudflare Access as the OAuth provider, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp/).
 
 ### (3) Third-party OAuth Provider
 
diff --git a/src/content/docs/agents/model-context-protocol/mcp-portal.mdx b/src/content/docs/agents/model-context-protocol/mcp-portal.mdx
index 5459fdc6089f3cd..8f9b31dc6ba439b 100644
--- a/src/content/docs/agents/model-context-protocol/mcp-portal.mdx
+++ b/src/content/docs/agents/model-context-protocol/mcp-portal.mdx
@@ -5,7 +5,7 @@ tags:
   - MCP
 sidebar:
   order: 101
-external_link: /cloudflare-one/access-controls/applications/configure-apps/mcp-servers/mcp-portals/
+external_link: /cloudflare-one/access-controls/applications/http-apps/mcp-servers/mcp-portals/
 description: Centralize multiple MCP servers onto a single endpoint and customize the tools, prompts, and resources available to users.
 
 ---
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access.mdx
index ec1d926bd0a9790..37af35adc58c146 100644
--- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access.mdx
+++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/secure-with-access.mdx
@@ -25,4 +25,4 @@ Cloudflare Access provides visibility and control over who has access to your [c
 5. Select **Add public hostname**.
 6. For **Input method**, select _Custom_.
 7. In **Hostname**, enter your custom hostname (for example, `mycustomhostname.com`).
-8. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to publish the application.
+8. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to publish the application.
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/index.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/index.mdx
similarity index 67%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/index.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/index.mdx
index 0b530ad5e94822c..3c87b0fc8a94b8f 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/index.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/index.mdx
@@ -13,12 +13,12 @@ Cloudflare Access allows you to secure your web applications by acting as an ide
 
 You can protect the following types of web applications:
 
-- [**SaaS applications**](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/) consist of applications your team relies on that are not hosted by your organization. Examples include Salesforce and Workday. To secure SaaS applications, you must integrate Cloudflare Access with the SaaS application's SSO configuration.
+- [**SaaS applications**](/cloudflare-one/access-controls/applications/http-apps/saas-apps/) consist of applications your team relies on that are not hosted by your organization. Examples include Salesforce and Workday. To secure SaaS applications, you must integrate Cloudflare Access with the SaaS application's SSO configuration.
 
 - **Self-hosted applications** consist of internal applications that you host in your own environment. These can be the data center versions of tools like the Atlassian suite or applications created by your own team. Setup requirements for a self-hosted application depend on whether the application is publicly accessible on the Internet or restricted to users on a private network.
-  - [**Public hostname applications**](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) are web applications that have public DNS records. Anyone on the Internet can access the application by entering the URL in their browser and authenticating through Cloudflare Access. Securing access to a public website requires a Cloudflare DNS [full setup](/dns/zone-setups/full-setup/) or [partial CNAME setup](/dns/zone-setups/partial-setup/).
+  - [**Public hostname applications**](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) are web applications that have public DNS records. Anyone on the Internet can access the application by entering the URL in their browser and authenticating through Cloudflare Access. Securing access to a public website requires a Cloudflare DNS [full setup](/dns/zone-setups/full-setup/) or [partial CNAME setup](/dns/zone-setups/partial-setup/).
   - [**Private network applications**](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) do not have public DNS records, meaning they are not reachable from the public Internet. To connect using a private IP or private hostname, the user's traffic must route through Cloudflare Gateway. The preferred method is to install the WARP client on the user's device, but you could also forward device traffic from a [network location](/magic-wan/) or use an agentless option such as [PAC files](/cloudflare-one/team-and-resources/devices/agentless/pac-files/) or [Clientless Web Isolation](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/).
 
-- [**Model Context Protocol (MCP) servers**](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/) are web applications that enable generative AI tools to read and write data within your business applications. For example, Salesforce provides an [MCP server](https://github.com/salesforcecli/mcp) for developers to interact with resources in their Salesforce tenant using GitHub Copilot or other AI code editors.
+- [**Model Context Protocol (MCP) servers**](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/) are web applications that enable generative AI tools to read and write data within your business applications. For example, Salesforce provides an [MCP server](https://github.com/salesforcecli/mcp) for developers to interact with resources in their Salesforce tenant using GitHub Copilot or other AI code editors.
 
 - [**Cloudflare Dashboard SSO**](/fundamentals/manage-members/dashboard-sso/) is a special type of SaaS application that manages SSO settings for the Cloudflare dashboard and has limited permissions for administrator edits.
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/index.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/mcp-servers/index.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/index.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/mcp-servers/index.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/linked-apps.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/mcp-servers/linked-apps.mdx
similarity index 89%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/linked-apps.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/mcp-servers/linked-apps.mdx
index 78ca51f016ae532..14470bd309008a4 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/linked-apps.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/mcp-servers/linked-apps.mdx
@@ -10,7 +10,7 @@ sidebar:
 
 import { Render, GlossaryTooltip, APIRequest } from "~/components";
 
-Cloudflare Access can delegate access from any [self-hosted application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to an [Access for SaaS MCP server](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp/) via [OAuth](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization). The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the user, using the user's specific permissions and scopes.
+Cloudflare Access can delegate access from any [self-hosted application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to an [Access for SaaS MCP server](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp/) via [OAuth](https://modelcontextprotocol.io/specification/2025-03-26/basic/authorization). The OAuth access token authorizes the MCP server to make requests to your self-hosted applications on behalf of the user, using the user's specific permissions and scopes.
 
 For example, your organization may wish to deploy an MCP server that helps employees interact with internal applications. You can configure [Access policies](/cloudflare-one/access-controls/policies/#selectors) to ensure that only authorized users can access those applications, either directly or by using an <GlossaryTooltip term="MCP client">MCP client</GlossaryTooltip>.
 
@@ -40,11 +40,11 @@ This guide covers how to use the Cloudflare API to link a self-hosted applicatio
 
 ## Prerequisites
 
-- A [self-hosted Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/)
+- A [self-hosted Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/)
 
 ## 1. Secure the MCP server with Access for SaaS
 
-The first step is to add the MCP server to Cloudflare Access as an OIDC-based SaaS application. For step-by-step instructions on how to add an MCP server, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp/).
+The first step is to add the MCP server to Cloudflare Access as an OIDC-based SaaS application. For step-by-step instructions on how to add an MCP server, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp/).
 
 ## 2. Get the SaaS application ID
 
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/mcp-portals.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/mcp-servers/mcp-portals.mdx
similarity index 99%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/mcp-portals.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/mcp-servers/mcp-portals.mdx
index f4e341466e7a4b4..95d537ef3cf5dcb 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/mcp-portals.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/mcp-servers/mcp-portals.mdx
@@ -41,7 +41,7 @@ To add an MCP server:
 7. Add [Access policies](/cloudflare-one/access-controls/policies/) to show or hide the server in an [MCP server portal](#create-a-portal). The MCP server link will only appear in the portal for users who match an Allow policy. Users who do not pass an Allow policy will not see this server through any portals.
 
    :::caution
-   Blocked users can still connect to the server (and bypass your Access policies) by using its direct URL. If you want to enforce authentication through Cloudflare Access, [configure Access as the server's OAuth provider](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp/).
+   Blocked users can still connect to the server (and bypass your Access policies) by using its direct URL. If you want to enforce authentication through Cloudflare Access, [configure Access as the server's OAuth provider](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp/).
    :::
 
 8. Select **Save and connect server**.
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp.mdx
similarity index 95%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp.mdx
index b91086885d1bb6a..44f42b8b4f95715 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp.mdx
@@ -103,7 +103,7 @@ https://mcp-server-cf-access.<YOUR_SUBDOMAIN>.workers.dev/callback
    - **Authorization endpoint**
    - **Key endpoint**
 
-8. (Optional) Under **Advanced settings**, turn on [**Refresh tokens**](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-oidc-saas/#advanced-settings) if you want to reduce the number of times a user needs to log in to the identity provider.
+8. (Optional) Under **Advanced settings**, turn on [**Refresh tokens**](/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas/#advanced-settings) if you want to reduce the number of times a user needs to log in to the identity provider.
 9. Configure [Access policies](/cloudflare-one/access-controls/policies/) to define the users who can access the MCP server.
 10. Save the application.
 
@@ -134,7 +134,7 @@ https://mcp-server-cf-access.<YOUR_SUBDOMAIN>.workers.dev/callback
    />
 
 2. Copy the `client_id` and `client_secret` returned in the response.
-3. To determine the OAuth endpoint URLs for the SaaS application, refer to the [generic OIDC documentation](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-oidc-saas/#2-add-your-application-to-access).
+3. To determine the OAuth endpoint URLs for the SaaS application, refer to the [generic OIDC documentation](/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas/#2-add-your-application-to-access).
 
 </TabItem>
 </Tabs>
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/adobe-sign-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/adobe-sign-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/adobe-sign-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/adobe-sign-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/area-1.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/area-1.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/area-1.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/area-1.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/asana-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/asana-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/asana-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/asana-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/atlassian-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/atlassian-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/atlassian-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/atlassian-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/aws-sso-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/aws-sso-saas.mdx
similarity index 98%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/aws-sso-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/aws-sso-saas.mdx
index aa0c0b3934b6825..4fe4c1775de6eee 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/aws-sso-saas.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/aws-sso-saas.mdx
@@ -54,7 +54,7 @@ Next, we will obtain **Identity provider metadata** from Zero Trust.
 
 :::caution[Important]
 
-Access for SaaS does not currently support [SCIM provisioning](/cloudflare-one/identity/users/scim/). Make sure that:
+Access for SaaS does not currently support [SCIM provisioning](/cloudflare-one/team-and-resources/users/scim/). Make sure that:
 
 1. Users are created in both your identity provider and AWS.
 2. Users have matching usernames in your identity provider and AWS.
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/braintree-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/braintree-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/braintree-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/braintree-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/coupa-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/coupa-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/coupa-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/coupa-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/digicert-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/digicert-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/digicert-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/digicert-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/docusign-access.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/docusign-access.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/docusign-access.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/docusign-access.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/dropbox-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/dropbox-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/dropbox-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/dropbox-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-oidc-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas.mdx
similarity index 98%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-oidc-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas.mdx
index 89fbd3553283bae..1b44964f412470e 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-oidc-saas.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas.mdx
@@ -103,7 +103,7 @@ To add additional OIDC claims onto the ID token sent to your SaaS application, c
 
 ### Access token lifetime
 
-The OIDC Access token authorizes users to connect to the SaaS application through Cloudflare Access. You can set an **Access token lifetime** to determine the window in which the token can be used to establish authentication with the SaaS application — if it expires, the user must re-authenticate through Cloudflare Access. To balance security and user convenience, Cloudflare recommends configuring a short Access token lifetime in conjunction with a longer **Refresh token lifetime** (if supported by your application). When the access token expires, Cloudflare will use the refresh token to obtain a new access token after checking the user's identity against your Access policies. When the refresh token expires, the user will need to log back in to the identity provider. The refresh token lifetime should be less than your [global session duration](/cloudflare-one/identity/users/session-management/), otherwise the global session would take precedence.
+The OIDC Access token authorizes users to connect to the SaaS application through Cloudflare Access. You can set an **Access token lifetime** to determine the window in which the token can be used to establish authentication with the SaaS application — if it expires, the user must re-authenticate through Cloudflare Access. To balance security and user convenience, Cloudflare recommends configuring a short Access token lifetime in conjunction with a longer **Refresh token lifetime** (if supported by your application). When the access token expires, Cloudflare will use the refresh token to obtain a new access token after checking the user's identity against your Access policies. When the refresh token expires, the user will need to log back in to the identity provider. The refresh token lifetime should be less than your [global session duration](/cloudflare-one/team-and-resources/users/session-management/), otherwise the global session would take precedence.
 
 :::note
 
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-saml-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-saml-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/github-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/github-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/github-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/github-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/google-cloud-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/google-cloud-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/google-cloud-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/google-cloud-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/google-workspace-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/google-workspace-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/google-workspace-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/google-workspace-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/grafana-cloud-saas-oidc.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-cloud-saas-oidc.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/grafana-cloud-saas-oidc.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-cloud-saas-oidc.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/grafana-saas-oidc.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-saas-oidc.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/grafana-saas-oidc.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/grafana-saas-oidc.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/greenhouse-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/greenhouse-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/greenhouse-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/greenhouse-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/hubspot-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/hubspot-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/hubspot-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/hubspot-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/index.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/index.mdx
similarity index 73%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/index.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/index.mdx
index 4933b0de0a3143a..8288d9c5c037db1 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/index.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/index.mdx
@@ -10,6 +10,6 @@ import { DirectoryListing } from "~/components"
 
 Cloudflare Access allows you to add an additional authentication layer to your SaaS applications. When you integrate a SaaS application with Access, users log in to the application with Cloudflare as the Single Sign-On provider. The user is then redirected to the configured identity providers for that application and are only granted access if they pass your Access policies.
 
-Cloudflare integrates with the majority of SaaS applications that support the SAML or OIDC authentication protocol. If you do not see your application listed below, refer to our [generic SAML](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-saml-saas/) or [generic OIDC](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/generic-oidc-saas/) guide and consult your SaaS application's documentation.
+Cloudflare integrates with the majority of SaaS applications that support the SAML or OIDC authentication protocol. If you do not see your application listed below, refer to our [generic SAML](/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-saml-saas/) or [generic OIDC](/cloudflare-one/access-controls/applications/http-apps/saas-apps/generic-oidc-saas/) guide and consult your SaaS application's documentation.
 
 <DirectoryListing />
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/ironclad-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/ironclad-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/ironclad-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/ironclad-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/jamf-pro-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/jamf-pro-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/jamf-pro-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/jamf-pro-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/miro-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/miro-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/miro-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/miro-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/pagerduty-saml-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/pagerduty-saml-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/pagerduty-saml-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/pagerduty-saml-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/pingboard-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/pingboard-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/pingboard-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/pingboard-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/salesforce-saas-oidc.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/salesforce-saas-oidc.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/salesforce-saas-oidc.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/salesforce-saas-oidc.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/salesforce-saas-saml.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/salesforce-saas-saml.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/salesforce-saas-saml.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/salesforce-saas-saml.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/servicenow-saas-oidc.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/servicenow-saas-oidc.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/servicenow-saas-oidc.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/servicenow-saas-oidc.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/servicenow-saas-saml.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/servicenow-saas-saml.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/servicenow-saas-saml.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/servicenow-saas-saml.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/slack-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/slack-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/slack-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/slack-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/smartsheet-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/smartsheet-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/smartsheet-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/smartsheet-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/sparkpost-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/sparkpost-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/sparkpost-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/sparkpost-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/tableau-saml-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/tableau-saml-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/tableau-saml-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/tableau-saml-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/workday-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/workday-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/workday-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/workday-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/zendesk-sso-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/zendesk-sso-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/zendesk-sso-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/zendesk-sso-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/zoom-saas.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/zoom-saas.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/saas-apps/zoom-saas.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/saas-apps/zoom-saas.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app.mdx b/src/content/docs/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app.mdx
rename to src/content/docs/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app.mdx
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/browser-rendering.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/browser-rendering.mdx
index 5bdcbc6d2bdcd34..70bce452399e0b8 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/browser-rendering.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/browser-rendering.mdx
@@ -11,7 +11,7 @@ Cloudflare can render SSH, VNC, and RDP applications in a browser without the ne
 
 ## Limitations
 
-- Browser rendering is only supported for [self-hosted public applications](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/), not private IPs or hostnames.
+- Browser rendering is only supported for [self-hosted public applications](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/), not private IPs or hostnames.
 - You can only render a browser-rendered terminal on domains and subdomains, not on specific paths.
 - <Render file="access/self-hosted-app/ssh-sessions" product="cloudflare-one" />
 - Cloudflare uses TLS to secure the egress RDP connection to your Windows server. We do not currently validate the chain of trust.
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/infrastructure-apps.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/infrastructure-apps.mdx
index 2e344d9cbda5f83..1c2a00196619c52 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/infrastructure-apps.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/infrastructure-apps.mdx
@@ -102,7 +102,7 @@ To view all available filters, type `warp-cli target list --help`.
 
 ## Revoke a user's session
 
-To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](/cloudflare-one/identity/users/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target.
+To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](/cloudflare-one/team-and-resources/users/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target.
 
 ## Infrastructure policy selectors
 
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
index 7026dc374600857..4fd00718078c34c 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app.mdx
@@ -66,7 +66,7 @@ Users can now connect to your private application after authenticating with Clou
 
 ### HTTPS applications
 
-If [Gateway TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is turned on and a user is accessing an HTTPS application on port `443`, Cloudflare Access will present a login page in the browser and issue an [application token](/cloudflare-one/identity/authorization-cookie/application-token/) to your origin. This is the same cookie-based authentication flow used by [self-hosted public apps](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/).
+If [Gateway TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is turned on and a user is accessing an HTTPS application on port `443`, Cloudflare Access will present a login page in the browser and issue an [application token](/cloudflare-one/identity/authorization-cookie/application-token/) to your origin. This is the same cookie-based authentication flow used by [self-hosted public apps](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/).
 
 If [Gateway TLS decryption](/cloudflare-one/traffic-policies/http-policies/tls-decryption/) is turned off, session management is [handled in the WARP client](#non-https-applications) instead of in the browser.
 
diff --git a/src/content/docs/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy.mdx b/src/content/docs/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy.mdx
index 34ecb33ebe0a46f..c153859d4b8cc9a 100644
--- a/src/content/docs/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/applications/non-http/short-lived-certificates-legacy.mdx
@@ -25,7 +25,7 @@ Cloudflare Access short-lived certificates can work with any modern SSH server,
 To secure your server behind Cloudflare Access:
 
 1. [Connect the server to Cloudflare](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/) as a published application.
-2. Create a [self-hosted Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) for the server.
+2. Create a [self-hosted Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for the server.
 
 :::note
 If you do not wish to use Access, refer instead to our [SSH proxy instructions](/cloudflare-one/traffic-policies/network-policies/ssh-logging/).
diff --git a/src/content/docs/cloudflare-one/access-controls/policies/index.mdx b/src/content/docs/cloudflare-one/access-controls/policies/index.mdx
index 7461895e482ee19..8b64dcf64e423f0 100644
--- a/src/content/docs/cloudflare-one/access-controls/policies/index.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/policies/index.mdx
@@ -131,9 +131,9 @@ To require only one country and one email ending:
 
 ## Selectors
 
-When you add a rule to your policy, you will be asked to specify the criteria/attributes you want users to meet. These attributes are available for all Access application types, including [SaaS](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/), [self-hosted](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/), and [non-HTTP](/cloudflare-one/access-controls/applications/non-http/) applications.
+When you add a rule to your policy, you will be asked to specify the criteria/attributes you want users to meet. These attributes are available for all Access application types, including [SaaS](/cloudflare-one/access-controls/applications/http-apps/saas-apps/), [self-hosted](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/), and [non-HTTP](/cloudflare-one/access-controls/applications/non-http/) applications.
 
-Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](/cloudflare-one/identity/users/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/identity/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.
+Non-identity attributes are polled continuously, meaning they are-evaluated with each new HTTP request for changes during the [user session](/cloudflare-one/team-and-resources/users/session-management/). If you have configured [SCIM provisioning](/cloudflare-one/team-and-resources/users/scim/), you can force a user to re-attest all attributes with Access whenever you revoke the user in the IdP or update their IdP group membership.
 
 | Selector                 | Description                                                                                                                                                                                                                               | Checked at login | Checked continuously<sup>1</sup> | Identity-based selector? |
 | ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- | ------------------------ |
@@ -149,7 +149,7 @@ Non-identity attributes are polled continuously, meaning they are-evaluated with
 | Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/identity/service-tokens/) created for this account.                                                                                                  | ✅               | ✅                               | ❌                       |
 | Login Methods            | Checks the identity provider used at the time of login.                                                                                                                                                                                   | ✅               | ❌                               | ✅                       |
 | Authentication Method    | Checks the [multifactor authentication](/cloudflare-one/access-controls/policies/mfa-requirements/) method used by the user, if supported by the identity provider.                                                                                | ✅               | ❌                               | ✅                       |
-| Identity provider group  | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/identity/users/scim/). | ✅               | ❌                               | ✅                       |
+| Identity provider group  | Checks the user groups configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, Okta, or an IdP that provisions groups with [SCIM](/cloudflare-one/team-and-resources/users/scim/). | ✅               | ❌                               | ✅                       |
 | SAML Group               | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/integrations/identity-providers/generic-saml/) identity provider.                                                             | ✅               | ❌                               | ✅                       |
 | OIDC Claim               | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/integrations/identity-providers/generic-oidc/) identity provider.                                                                | ✅               | ❌                               | ✅                       |
 | Device posture           | Checks [device posture signals](/cloudflare-one/identity/devices/) from the WARP client or a third-party service provider.                                                                                                                | ✅               | ✅                               | ❌                       |
diff --git a/src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx b/src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx
index af0b19c30575f61..7381ab78d7cd33b 100644
--- a/src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/policies/isolate-application.mdx
@@ -39,4 +39,4 @@ For example, if your application is hosted on `internal.site.com`, the following
 
 ## Product compatibility
 
-For a list of products that are incompatible with the **Isolate application** feature, refer to [Product Compatibility](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/#product-compatibility) .
+For a list of products that are incompatible with the **Isolate application** feature, refer to [Product Compatibility](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/#product-compatibility) .
diff --git a/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx
index 41efdabadc17224..eed7323491c19d8 100644
--- a/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/policies/mfa-requirements.mdx
@@ -20,7 +20,7 @@ To enforce an MFA requirement to an application:
 
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Access** > **Applications**.
 
-2. Find the application for which you want to enforce MFA and select **Configure**. Alternatively, [create a new application](/cloudflare-one/access-controls/applications/configure-apps/).
+2. Find the application for which you want to enforce MFA and select **Configure**. Alternatively, [create a new application](/cloudflare-one/access-controls/applications/http-apps/).
 
 3. Go to **Policies**.
 
diff --git a/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx b/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx
index b2807d54672dcaf..913a3bf26be626b 100644
--- a/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx
+++ b/src/content/docs/cloudflare-one/access-controls/policies/policy-management.mdx
@@ -17,7 +17,7 @@ To create a reusable Access policy:
 2. Select **Add a policy**.
 3. Enter a **Policy name**.
 4. Choose an [**Action**](/cloudflare-one/access-controls/policies/#actions) for the policy.
-5. Choose a [**Session duration**](/cloudflare-one/identity/users/session-management/) for the policy.
+5. Choose a [**Session duration**](/cloudflare-one/team-and-resources/users/session-management/) for the policy.
 6. Configure as many [**Rules**](/cloudflare-one/access-controls/policies/#rule-types) as needed.
 7. (Optional) Configure additional settings for users who match this policy:
    - [Isolate application](/cloudflare-one/access-controls/policies/isolate-application/).
diff --git a/src/content/docs/cloudflare-one/applications/app-library.mdx b/src/content/docs/cloudflare-one/applications/app-library.mdx
index 37f87bb43e8a3d6..8616be08861d85c 100644
--- a/src/content/docs/cloudflare-one/applications/app-library.mdx
+++ b/src/content/docs/cloudflare-one/applications/app-library.mdx
@@ -34,7 +34,7 @@ The **Findings** tab shows any connected [CASB integrations](/cloudflare-one/app
 
 ### Policies
 
-The **Policies** tab shows any [Gateway](/cloudflare-one/traffic-policies/) and [Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/) policies related to the selected application.
+The **Policies** tab shows any [Gateway](/cloudflare-one/traffic-policies/) and [Access for SaaS](/cloudflare-one/access-controls/applications/http-apps/saas-apps/) policies related to the selected application.
 
 ### Usage
 
diff --git a/src/content/docs/cloudflare-one/changelog/access.mdx b/src/content/docs/cloudflare-one/changelog/access.mdx
index 4cf509e0e424f9e..3237fb1dbc41bae 100644
--- a/src/content/docs/cloudflare-one/changelog/access.mdx
+++ b/src/content/docs/cloudflare-one/changelog/access.mdx
@@ -29,7 +29,7 @@ You can now filter Access policies by their action, selectors, rule groups, and
 
 **Access Applications support private hostnames/IPs and reusable Access policies.**
 
-Cloudflare Access self-hosted applications can now be defined by [private IPs](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/), [private hostnames](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) (on port 443) and [public hostnames](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/). Additionally, we made Access policies into their own object which can be reused across multiple applications. These updates involved significant updates to the overall Access dashboard experience. The updates will be slowly rolled out to different customer cohorts. If you are an Enterprise customer and would like early access, reach out to your account team.
+Cloudflare Access self-hosted applications can now be defined by [private IPs](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/), [private hostnames](/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) (on port 443) and [public hostnames](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). Additionally, we made Access policies into their own object which can be reused across multiple applications. These updates involved significant updates to the overall Access dashboard experience. The updates will be slowly rolled out to different customer cohorts. If you are an Enterprise customer and would like early access, reach out to your account team.
 
 ## 2025-01-15
 
@@ -53,7 +53,7 @@ Admins can now use [Access for Infrastructure](/cloudflare-one/networks/connecto
 
 **Reduce automatic seat deprovisioning minimum to 1 month, down from 2 months.**
 
-Admins can now configure Zero Trust seats to [automatically expire](/cloudflare-one/identity/users/seat-management/#enable-seat-expiration) after 1 month of user inactivity. The previous minimum was 2 months.
+Admins can now configure Zero Trust seats to [automatically expire](/cloudflare-one/team-and-resources/users/seat-management/#enable-seat-expiration) after 1 month of user inactivity. The previous minimum was 2 months.
 
 ## 2024-06-06
 
diff --git a/src/content/docs/cloudflare-one/faq/authentication-faq.mdx b/src/content/docs/cloudflare-one/faq/authentication-faq.mdx
index a3a7abcbf2e62cb..cd5a0d9798d49b1 100644
--- a/src/content/docs/cloudflare-one/faq/authentication-faq.mdx
+++ b/src/content/docs/cloudflare-one/faq/authentication-faq.mdx
@@ -33,4 +33,4 @@ To log out of an App Launcher session, go to:
 
 `<your-team-name>.cloudflareaccess.com/cdn-cgi/access/logout`
 
-For more information, refer to our [session management page](/cloudflare-one/identity/users/session-management/#log-out-as-a-user).
+For more information, refer to our [session management page](/cloudflare-one/team-and-resources/users/session-management/#log-out-as-a-user).
diff --git a/src/content/docs/cloudflare-one/identity/authorization-cookie/application-token.mdx b/src/content/docs/cloudflare-one/identity/authorization-cookie/application-token.mdx
index b89b47c4dc5f773..fafc8527875a5f0 100644
--- a/src/content/docs/cloudflare-one/identity/authorization-cookie/application-token.mdx
+++ b/src/content/docs/cloudflare-one/identity/authorization-cookie/application-token.mdx
@@ -63,7 +63,7 @@ The payload contains the actual claim and user information to pass to the applic
 | iss            | The Cloudflare Access domain URL for the application.                                                                                                                                                                                                                                           |
 | type           | The type of Access token (`app` for application token or `org` for global session token).                                                                                                                                                                                                       |
 | identity_nonce | A cache key used to get the [user's identity](#user-identity).                                                                                                                                                                                                                                  |
-| sub            | The ID of the user. This value is unique to an email address per account. The user would get a different `sub` if they are [removed](/cloudflare-one/identity/users/seat-management/#remove-a-user) and re-added to your Zero Trust organization, or if they log into a different organization. |
+| sub            | The ID of the user. This value is unique to an email address per account. The user would get a different `sub` if they are [removed](/cloudflare-one/team-and-resources/users/seat-management/#remove-a-user) and re-added to your Zero Trust organization, or if they log into a different organization. |
 | country        | The country where the user authenticated from.                                                                                                                                                                                                                                                  |
 
 #### Custom SAML attributes and OIDC claims
diff --git a/src/content/docs/cloudflare-one/identity/authorization-cookie/cors.mdx b/src/content/docs/cloudflare-one/identity/authorization-cookie/cors.mdx
index abfd9ec2dd8e2bc..0c9aaf811db45c0 100644
--- a/src/content/docs/cloudflare-one/identity/authorization-cookie/cors.mdx
+++ b/src/content/docs/cloudflare-one/identity/authorization-cookie/cors.mdx
@@ -122,7 +122,7 @@ To avoid having to log in twice, you can create a Cloudflare Worker that automat
 
 - [Workers account](/workers/get-started/guide/)
 - `wrangler` installation
-- `example.com` and `api.mysite.com` domains [protected by Access](/cloudflare-one/access-controls/applications/configure-apps/)
+- `example.com` and `api.mysite.com` domains [protected by Access](/cloudflare-one/access-controls/applications/http-apps/)
 
 ### 1. Generate a service token
 
diff --git a/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx b/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx
index c60eb43beadaea2..e0e5852e7c1e22d 100644
--- a/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx
+++ b/src/content/docs/cloudflare-one/identity/authorization-cookie/index.mdx
@@ -22,7 +22,7 @@ Access generates two separate `CF_Authorization` tokens depending on the domain:
 
 ### Multi-domain applications
 
-Cloudflare Access allows you to protect and manage multiple domains in a single [self-hosted application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/). After a user has successfully authenticated to one domain, Access will automatically issue a `CF_Authorization` cookie when they go to another domain in the same Access application. This means that users only need to authenticate once to a multi-domain application.
+Cloudflare Access allows you to protect and manage multiple domains in a single [self-hosted application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). After a user has successfully authenticated to one domain, Access will automatically issue a `CF_Authorization` cookie when they go to another domain in the same Access application. This means that users only need to authenticate once to a multi-domain application.
 
 For Access applications with five or less domains, Access will preemptively set the cookie for all domains through a series of redirects. This allows single-page applications (SPAs) to retrieve data from other subdomains, even if the user has not explicitly visited those subdomains. Note that we cannot set cookies up-front for a wildcarded subdomain, because we do not know which concrete subdomain to redirect to (wildcarded paths are allowed).
 
@@ -36,19 +36,19 @@ The following Access cookies are essential to Access functionality. Cookies that
 
 | Details                                                                                                                                                                                                                                                                                          | Expiration                                                                                                                                                                                                                                                                                                                                                          | HttpOnly | SameSite | Required? |
 | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------- | --------- |
-| [JSON web token (JWT)](/cloudflare-one/identity/authorization-cookie/#access-jwts) set on the `cloudflareaccess.com` [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) that contains the user's identity and enables Access to perform single sign-on (SSO) | <details><summary>View</summary>If set, adheres to [global session duration](/cloudflare-one/identity/users/session-management/#global-session-duration).<br/><br/>If not, adheres to [application session duration](/cloudflare-one/identity/users/session-management/#application-session-duration).<br/><br/>If neither are set, defaults to 24 hours.</details> | Yes      | None     | Required  |
+| [JSON web token (JWT)](/cloudflare-one/identity/authorization-cookie/#access-jwts) set on the `cloudflareaccess.com` [team domain](/cloudflare-one/faq/getting-started-faq/#what-is-a-team-domainteam-name) that contains the user's identity and enables Access to perform single sign-on (SSO) | <details><summary>View</summary>If set, adheres to [global session duration](/cloudflare-one/team-and-resources/users/session-management/#global-session-duration).<br/><br/>If not, adheres to [application session duration](/cloudflare-one/team-and-resources/users/session-management/#application-session-duration).<br/><br/>If neither are set, defaults to 24 hours.</details> | Yes      | None     | Required  |
 
 ### CF_Authorization (Access application domain)
 
 | Details                                                                                                                                                                                                                           | Expiration                                                                                                                                                                                                                                                                                                                                                          | HttpOnly                     | SameSite                     | Required? |
 | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | ---------------------------- | --------- |
-| [JSON web token (JWT)](/cloudflare-one/identity/authorization-cookie/#access-jwts) set on the domain protected by Access that allows Access to confirm that the user has been authenticated and is authorized to reach the origin | <details><summary>View</summary>If set, adheres to [policy session duration](/cloudflare-one/identity/users/session-management/#policy-session-duration).<br/><br/>If not, adheres to [application session duration](/cloudflare-one/identity/users/session-management/#application-session-duration).<br/><br/>If neither are set, defaults to 24 hours.</details> | Admin choice (Default: None) | Admin choice (Default: None) | Required  |
+| [JSON web token (JWT)](/cloudflare-one/identity/authorization-cookie/#access-jwts) set on the domain protected by Access that allows Access to confirm that the user has been authenticated and is authorized to reach the origin | <details><summary>View</summary>If set, adheres to [policy session duration](/cloudflare-one/team-and-resources/users/session-management/#policy-session-duration).<br/><br/>If not, adheres to [application session duration](/cloudflare-one/team-and-resources/users/session-management/#application-session-duration).<br/><br/>If neither are set, defaults to 24 hours.</details> | Admin choice (Default: None) | Admin choice (Default: None) | Required  |
 
 ### CF_Binding
 
 | Details                                                                                  | Expiration                                                                                                                                                                                                                                                                                                                                                          | HttpOnly | SameSite | Required? |
 | ---------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | -------- | --------- |
-| Refer to [Binding cookie](/cloudflare-one/identity/authorization-cookie/#binding-cookie) | <details><summary>View</summary>If set, adheres to [policy session duration](/cloudflare-one/identity/users/session-management/#policy-session-duration).<br/><br/>If not, adheres to [application session duration](/cloudflare-one/identity/users/session-management/#application-session-duration).<br/><br/>If neither are set, defaults to 24 hours.</details> | Yes      | None     | Optional  |
+| Refer to [Binding cookie](/cloudflare-one/identity/authorization-cookie/#binding-cookie) | <details><summary>View</summary>If set, adheres to [policy session duration](/cloudflare-one/team-and-resources/users/session-management/#policy-session-duration).<br/><br/>If not, adheres to [application session duration](/cloudflare-one/team-and-resources/users/session-management/#application-session-duration).<br/><br/>If neither are set, defaults to 24 hours.</details> | Yes      | None     | Optional  |
 
 ### CF_Session
 
@@ -133,7 +133,7 @@ Binding cookies protect users' `CF_Authorization` cookies from possible maliciou
 Do not enable Binding Cookie if:
 
 - You are using the Access application for non-browser based tools (such as SSH or RDP).
-- You have enabled [incompatible Cloudflare products](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/#product-compatibility) on the application domain.
+- You have enabled [incompatible Cloudflare products](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/#product-compatibility) on the application domain.
 - You have turned on [WARP authentication identity](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions/) for the application.
 
 ### Cookie Path Attribute
diff --git a/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx b/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx
index 719f681b7ec8536..4d0bd8cba33c37e 100644
--- a/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx
+++ b/src/content/docs/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication.mdx
@@ -27,7 +27,7 @@ The mTLS certificate is used only to verify the client certificate. It does not
 
 ### Prerequisites
 
-- An [Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) for the hostname that you would like to secure with mTLS.
+- An [Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for the hostname that you would like to secure with mTLS.
 - A CA that issues client certificates for your devices.
   <Render file="byo-ca-mtls-cert-requirements" product="ssl" />
 
diff --git a/src/content/docs/cloudflare-one/insights/analytics/analytics-overview.mdx b/src/content/docs/cloudflare-one/insights/analytics/analytics-overview.mdx
index 8cce2e32943611d..f2bd7126749d977 100644
--- a/src/content/docs/cloudflare-one/insights/analytics/analytics-overview.mdx
+++ b/src/content/docs/cloudflare-one/insights/analytics/analytics-overview.mdx
@@ -30,7 +30,7 @@ In **Global status**, you can view a report on your organization's Cloudflare On
 - SaaS integrations
 - DLP profiles
 
-You can also view a report on your [seat usage](/cloudflare-one/identity/users/seat-management/) across your Cloudflare One organization that contains the following metrics:
+You can also view a report on your [seat usage](/cloudflare-one/team-and-resources/users/seat-management/) across your Cloudflare One organization that contains the following metrics:
 
 - Total seats
 - Used seats
diff --git a/src/content/docs/cloudflare-one/insights/dex/index.mdx b/src/content/docs/cloudflare-one/insights/dex/index.mdx
index 8efca16730fe07b..0a0b64a8bfa405d 100644
--- a/src/content/docs/cloudflare-one/insights/dex/index.mdx
+++ b/src/content/docs/cloudflare-one/insights/dex/index.mdx
@@ -13,7 +13,7 @@ With DEX, you can monitor the state of your [WARP client](/cloudflare-one/team-a
 
 Use DEX to troubleshoot other Zero Trust features:
 
-- Test connectivity to a [SaaS application secured with Access](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/).
+- Test connectivity to a [SaaS application secured with Access](/cloudflare-one/access-controls/applications/http-apps/saas-apps/).
 - Verify that a website routed through [Gateway](/cloudflare-one/traffic-policies/) is reachable from user devices.
 - Confirm that users can successfully reach internal resources after configuring a [Tunnel](/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel/).
 
diff --git a/src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx b/src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx
index 865043605d0cd69..181714649579e81 100644
--- a/src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx
+++ b/src/content/docs/cloudflare-one/insights/logs/scim-logs.mdx
@@ -8,7 +8,7 @@ sidebar:
 
 import { Render } from "~/components";
 
-SCIM activity logs allow administrators to audit how [SCIM provisioning](/cloudflare-one/identity/users/scim/) events in an identity provider (such as create, update, and delete) affect a user's identity and group membership in Zero Trust. You can compare your Zero Trust SCIM logs with your identity provider's SCIM logs to track how identity data is shared between the two services and pinpoint the source of any provisioning errors.
+SCIM activity logs allow administrators to audit how [SCIM provisioning](/cloudflare-one/team-and-resources/users/scim/) events in an identity provider (such as create, update, and delete) affect a user's identity and group membership in Zero Trust. You can compare your Zero Trust SCIM logs with your identity provider's SCIM logs to track how identity data is shared between the two services and pinpoint the source of any provisioning errors.
 
 ## View SCIM logs
 
diff --git a/src/content/docs/cloudflare-one/insights/logs/users.mdx b/src/content/docs/cloudflare-one/insights/logs/users.mdx
index d9bd9986d732a21..52aaa3da7ec1786 100644
--- a/src/content/docs/cloudflare-one/insights/logs/users.mdx
+++ b/src/content/docs/cloudflare-one/insights/logs/users.mdx
@@ -12,11 +12,11 @@ User logs show a list of all users who have authenticated to Cloudflare Zero Tru
 
 ## View user logs
 
-In [Zero Trust](https://one.dash.cloudflare.com/), go to **My Team** > **Users**. This page lists all users who have registered the WARP client or authenticated to a Cloudflare Access application. You can select a user's name to view detailed logs, [revoke their session](/cloudflare-one/identity/users/session-management/#revoke-user-sessions), or [remove their seat](/cloudflare-one/identity/users/seat-management/).
+In [Zero Trust](https://one.dash.cloudflare.com/), go to **My Team** > **Users**. This page lists all users who have registered the WARP client or authenticated to a Cloudflare Access application. You can select a user's name to view detailed logs, [revoke their session](/cloudflare-one/team-and-resources/users/session-management/#revoke-user-sessions), or [remove their seat](/cloudflare-one/team-and-resources/users/seat-management/).
 
 ### Available logs
 
-* **User Registry identity**: Select the user's name to view their last seen identity. This identity is used to evaluate Gateway policies and WARP [device profiles](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/). A refresh occurs when the user re-authenticates WARP, logs into an Access application, or has their IdP group membership updated via <GlossaryTooltip term="SCIM" link="/cloudflare-one/identity/users/scim/">SCIM provisioning</GlossaryTooltip>. To track how the user's identity has changed over time, go to the **Audit logs** tab.
-* **Session identities**: The user's active sessions, the identity used to authenticate each session, and when each session will [expire](/cloudflare-one/identity/users/session-management/).
+* **User Registry identity**: Select the user's name to view their last seen identity. This identity is used to evaluate Gateway policies and WARP [device profiles](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/). A refresh occurs when the user re-authenticates WARP, logs into an Access application, or has their IdP group membership updated via <GlossaryTooltip term="SCIM" link="/cloudflare-one/team-and-resources/users/scim/">SCIM provisioning</GlossaryTooltip>. To track how the user's identity has changed over time, go to the **Audit logs** tab.
+* **Session identities**: The user's active sessions, the identity used to authenticate each session, and when each session will [expire](/cloudflare-one/team-and-resources/users/session-management/).
 * **Devices**: Devices registered to the user via WARP.
 * **Recent activities**: The user's five most recent Access login attempts. For more details, refer to your [authentication audit logs](/cloudflare-one/insights/logs/audit-logs/#authentication-audit-logs).
diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/entra-id.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/entra-id.mdx
index 6eb3c8ee4b2fc2f..2c1864ddb895197 100644
--- a/src/content/docs/cloudflare-one/integrations/identity-providers/entra-id.mdx
+++ b/src/content/docs/cloudflare-one/integrations/identity-providers/entra-id.mdx
@@ -171,7 +171,7 @@ If you are concerned that users' emails or UPNs may change, you can pass the use
 
 ## Synchronize users and groups
 
-The Microsoft Entra ID integration allows you to synchronize IdP groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/).
+The Microsoft Entra ID integration allows you to synchronize IdP groups and automatically deprovision users using [SCIM](/cloudflare-one/team-and-resources/users/scim/).
 
 ### Prerequisites
 
diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/generic-oidc.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/generic-oidc.mdx
index ffc6fdf5d6eae4b..2c0ca0b17b794f3 100644
--- a/src/content/docs/cloudflare-one/integrations/identity-providers/generic-oidc.mdx
+++ b/src/content/docs/cloudflare-one/integrations/identity-providers/generic-oidc.mdx
@@ -108,7 +108,7 @@ To test that your connection is working, go to **Authentication** > **Login meth
 
 ## Synchronize users and groups
 
-The generic OIDC integration allows you to synchronize user groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/).
+The generic OIDC integration allows you to synchronize user groups and automatically deprovision users using [SCIM](/cloudflare-one/team-and-resources/users/scim/).
 
 ### Prerequisites
 
diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/generic-saml.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/generic-saml.mdx
index 8fb661deed4e32b..7c620b87efa7b7c 100644
--- a/src/content/docs/cloudflare-one/integrations/identity-providers/generic-saml.mdx
+++ b/src/content/docs/cloudflare-one/integrations/identity-providers/generic-saml.mdx
@@ -90,7 +90,7 @@ You can now [test the IdP integration](/cloudflare-one/integrations/identity-pro
 
 ## Synchronize users and groups
 
-The generic SAML integration allows you to synchronize user groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/).
+The generic SAML integration allows you to synchronize user groups and automatically deprovision users using [SCIM](/cloudflare-one/team-and-resources/users/scim/).
 
 ### Prerequisites
 
diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/jumpcloud-saml.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/jumpcloud-saml.mdx
index 5479d3191ae62ba..76be522a9d9e9a4 100644
--- a/src/content/docs/cloudflare-one/integrations/identity-providers/jumpcloud-saml.mdx
+++ b/src/content/docs/cloudflare-one/integrations/identity-providers/jumpcloud-saml.mdx
@@ -70,7 +70,7 @@ You can now [test your connection](/cloudflare-one/integrations/identity-provide
 
 ## Synchronize users and groups
 
-The JumpCloud integration allows you to synchronize user groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/).
+The JumpCloud integration allows you to synchronize user groups and automatically deprovision users using [SCIM](/cloudflare-one/team-and-resources/users/scim/).
 
 ### 1. Enable SCIM in Zero Trust
 
diff --git a/src/content/docs/cloudflare-one/integrations/identity-providers/okta.mdx b/src/content/docs/cloudflare-one/integrations/identity-providers/okta.mdx
index e3c9e1756661520..39537f8e4e42c42 100644
--- a/src/content/docs/cloudflare-one/integrations/identity-providers/okta.mdx
+++ b/src/content/docs/cloudflare-one/integrations/identity-providers/okta.mdx
@@ -89,7 +89,7 @@ To set up the Okta integration using the Okta Integration Network (OIN) App Cata
 
 ## Synchronize users and groups
 
-The Okta integration allows you to synchronize IdP groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/). To enable SCIM provisioning between Access and Okta, you need two separate app integrations in Okta:
+The Okta integration allows you to synchronize IdP groups and automatically deprovision users using [SCIM](/cloudflare-one/team-and-resources/users/scim/). To enable SCIM provisioning between Access and Okta, you need two separate app integrations in Okta:
 
 - The OIDC application you created when adding Okta as an identity provider. You can create this application via the [Okta App Catalog](#set-up-okta-as-an-oidc-provider-okta-app-catalog) or via a [Custom App Integration](#set-up-okta-as-an-oidc-provider-custom-app-integration).
 - A second Okta application of type **SCIM 2.0 Test App (Header Auth)**. This is technically a SAML app but is responsible for sending user and group info via SCIM.
diff --git a/src/content/docs/cloudflare-one/integrations/service-providers/custom.mdx b/src/content/docs/cloudflare-one/integrations/service-providers/custom.mdx
index f904b68fc6a0562..d0239b62db689a4 100644
--- a/src/content/docs/cloudflare-one/integrations/service-providers/custom.mdx
+++ b/src/content/docs/cloudflare-one/integrations/service-providers/custom.mdx
@@ -105,7 +105,7 @@ WARP uses an Access Client ID and Access Client Secret to securely authenticate
 
 Next, secure the external API behind Cloudflare Access so that WARP can authenticate with the service token. To add the API endpoint to Access:
 
-1. [Create a self-hosted application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) for your API endpoint.
+1. [Create a self-hosted application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for your API endpoint.
 2. Add the following Access policy to the application. Make sure that **Action** is set to _Service Auth_ (not _Allow_).
 
    | Action       | Rule type | Selector      | Value          |
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx
index 55129f0a3001705..9fd0b651ac38106 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/configure-tunnels/tunnel-with-firewall.mdx
@@ -178,7 +178,7 @@ Alternatively, you may use operating system (OS)-level firewall rules to block a
 
 Run your tunnel and check that all configured services are still accessible to the outside world via the tunnel, but not via the external IP address of the server.
 
-You can also [secure your application with Cloudflare Access](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/).
+You can also [secure your application with Cloudflare Access](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/).
 
 ## Test connectivity
 
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/kubernetes.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/kubernetes.mdx
index 7d2df986513ab95..1f2205c5960540b 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/kubernetes.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/deployment-guides/kubernetes.mdx
@@ -330,4 +330,4 @@ Now that the tunnel is up and running, we can use the Zero Trust dashboard to ro
 
 To test, open a new browser tab and go to `httpbin.<your-domain>.com`. You should see the httpbin homepage.
 
-You can optionally [create an Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to control who can access the service.
+You can optionally [create an Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to control who can access the service.
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx
index 296c525beb9b5d8..3b2baacf14990f6 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel-api.mdx
@@ -114,7 +114,7 @@ Follow these steps to publish an application to the Internet. If you are looking
 
    This DNS record allows Cloudflare to proxy `app.example.com` traffic to your Cloudflare Tunnel (`<tunnel-id>.cfargotunnel.com`).
 
-This application will be publicly available on the Internet once you [run the tunnel](#4-install-and-run-the-tunnel). To allow or block specific users, [create an Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/).
+This application will be publicly available on the Internet once you [run the tunnel](#4-install-and-run-the-tunnel). To allow or block specific users, [create an Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/).
 
 ## 3b. Connect a network
 
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel.mdx
index 09e528740c14c51..27ec4845dae04f2 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/create-remote-tunnel.mdx
@@ -26,7 +26,7 @@ Follow these steps to publish an application to the Internet. If you are looking
 
 <Render file="tunnel/add-published-application" product="cloudflare-one" />
 
-Anyone on the Internet can now access the application at the specified hostname. To allow or block specific users, [create an Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/).
+Anyone on the Internet can now access the application at the specified hostname. To allow or block specific users, [create an Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/).
 
 ## 2b. Connect a network
 
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/index.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/index.mdx
index 9e396d555d25609..e37cd6000ac772c 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/index.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/index.mdx
@@ -11,6 +11,6 @@ Cloudflare can route traffic down your Cloudflare Tunnel using a [DNS record](/c
 
 :::note
 
-You do not need a paid Cloudflare Access plan to publish an application via Cloudflare Tunnel. [Access seats](/cloudflare-one/identity/users/seat-management/) are only required if you want to [secure the application using Access policies](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/), such as requiring users to log in via an identity provider.
+You do not need a paid Cloudflare Access plan to publish an application via Cloudflare Tunnel. [Access seats](/cloudflare-one/team-and-resources/users/seat-management/) are only required if you want to [secure the application using Access policies](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/), such as requiring users to log in via an identity provider.
 
 :::
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-cloudflared-authentication.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-cloudflared-authentication.mdx
index 82d494fcfbbf601..db77f4d7b7dc642 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-cloudflared-authentication.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/rdp-cloudflared-authentication.mdx
@@ -24,7 +24,7 @@ Client-side `cloudflared` can be used in conjunction with [routing over WARP](/c
 
 ## 2. (Recommended) Create an Access application
 
-By default, anyone on the Internet can connect to the server using the hostname of the published application. To allow or block specific users, create a [self-hosted application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) in Cloudflare Access.
+By default, anyone on the Internet can connect to the server using the hostname of the published application. To allow or block specific users, create a [self-hosted application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) in Cloudflare Access.
 
 ## 3. Connect as a user
 
diff --git a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb.mdx b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb.mdx
index d296a489d624279..a8b81b3d9b22271 100644
--- a/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb.mdx
+++ b/src/content/docs/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/smb.mdx
@@ -79,7 +79,7 @@ The public hostname method can be implemented in conjunction with routing over W
 
 ### 2. (Recommended) Create an Access application
 
-By default, anyone on the Internet can connect to the server using the hostname of the published application. To allow or block specific users, create a [self-hosted application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) in Cloudflare Access.
+By default, anyone on the Internet can connect to the server using the hostname of the published application. To allow or block specific users, create a [self-hosted application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) in Cloudflare Access.
 
 ### 3. Connect as a user
 
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/index.mdx
index a030b9058843a18..2464426fe008ca6 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/index.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/devices/agentless/index.mdx
@@ -9,7 +9,7 @@ If you are unable to install the WARP client on your devices (for example, Windo
 
 - **[Gateway DNS policies](/cloudflare-one/team-and-resources/devices/agentless/dns/)**
 - **[Gateway HTTP policies](/cloudflare-one/team-and-resources/devices/agentless/pac-files/)** without user identity and device posture
-- **[Access policies](/cloudflare-one/access-controls/policies/)** without device posture for [web applications](/cloudflare-one/access-controls/applications/configure-apps/) and for [browser-rendered](/cloudflare-one/access-controls/applications/non-http/browser-rendering/) SSH, RDP, and VNC connections
+- **[Access policies](/cloudflare-one/access-controls/policies/)** without device posture for [web applications](/cloudflare-one/access-controls/applications/http-apps/) and for [browser-rendered](/cloudflare-one/access-controls/applications/non-http/browser-rendering/) SSH, RDP, and VNC connections
 - **[Remote Browser Isolation](/cloudflare-one/remote-browser-isolation/)** via an [Access policy](/cloudflare-one/access-controls/policies/isolate-application/), [prefixed URLs](/cloudflare-one/remote-browser-isolation/setup/clientless-browser-isolation/), or a [non-identity on-ramp](/cloudflare-one/remote-browser-isolation/setup/non-identity/)
 - **[Cloud Access Security Broker (CASB)](/cloudflare-one/applications/casb/)**
 - **[Data Loss Prevention (DLP)](/cloudflare-one/applications/casb/casb-dlp/)** for SaaS applications integrated with Cloudflare CASB
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/device-information-only.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/device-information-only.mdx
index dcb3af1f1d308e6..999a426f216d7eb 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/device-information-only.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-modes/device-information-only.mdx
@@ -20,7 +20,7 @@ import { TabItem, Tabs, Details, Width, APIRequest } from "~/components";
 
 </Details>
 
-Device Information Only mode allows you to enforce device posture rules when a user connects to your [self-hosted Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/). This mode relies on a client certificate generated from your account to establish trust between the Access application and the device.
+Device Information Only mode allows you to enforce device posture rules when a user connects to your [self-hosted Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). This mode relies on a client certificate generated from your account to establish trust between the Access application and the device.
 
 ## 1. Turn on account settings
 
diff --git a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions.mdx b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions.mdx
index aa03a29bf477999..a8ddd154127fd48 100644
--- a/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions.mdx
@@ -40,7 +40,7 @@ To configure WARP sessions for Access applications:
 This timeout value does not apply to [WARP session checks in Gateway policies](#configure-warp-sessions-in-gateway).
 :::
 
-5. (Optional) To enable WARP authentication by default for all existing and new applications, select **Apply to all Access applications**. You can override this default setting on a per-application basis when you [create](/cloudflare-one/access-controls/applications/configure-apps/) or modify an Access application.
+5. (Optional) To enable WARP authentication by default for all existing and new applications, select **Apply to all Access applications**. You can override this default setting on a per-application basis when you [create](/cloudflare-one/access-controls/applications/http-apps/) or modify an Access application.
 6. Select **Save**.
 
 Users can now authenticate once with WARP and have access to your Access applications for the configured period of time. The session timer resets when the user re-authenticates with the IdP used to enroll in WARP.
diff --git a/src/content/docs/cloudflare-one/identity/users/index.mdx b/src/content/docs/cloudflare-one/team-and-resources/users/index.mdx
similarity index 88%
rename from src/content/docs/cloudflare-one/identity/users/index.mdx
rename to src/content/docs/cloudflare-one/team-and-resources/users/index.mdx
index d0ac30c2dfa02b6..60f2b6ae2da1eb2 100644
--- a/src/content/docs/cloudflare-one/identity/users/index.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/users/index.mdx
@@ -1,6 +1,6 @@
 ---
 pcx_content_type: navigation
-title: User management
+title: Users
 sidebar:
   order: 5
 ---
diff --git a/src/content/docs/cloudflare-one/identity/users/scim.mdx b/src/content/docs/cloudflare-one/team-and-resources/users/scim.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/identity/users/scim.mdx
rename to src/content/docs/cloudflare-one/team-and-resources/users/scim.mdx
diff --git a/src/content/docs/cloudflare-one/identity/users/seat-management.mdx b/src/content/docs/cloudflare-one/team-and-resources/users/seat-management.mdx
similarity index 100%
rename from src/content/docs/cloudflare-one/identity/users/seat-management.mdx
rename to src/content/docs/cloudflare-one/team-and-resources/users/seat-management.mdx
diff --git a/src/content/docs/cloudflare-one/identity/users/session-management.mdx b/src/content/docs/cloudflare-one/team-and-resources/users/session-management.mdx
similarity index 98%
rename from src/content/docs/cloudflare-one/identity/users/session-management.mdx
rename to src/content/docs/cloudflare-one/team-and-resources/users/session-management.mdx
index a23d5b478b3fe43..5e7d32864531ecb 100644
--- a/src/content/docs/cloudflare-one/identity/users/session-management.mdx
+++ b/src/content/docs/cloudflare-one/team-and-resources/users/session-management.mdx
@@ -145,7 +145,7 @@ If you want to permanently revoke a user's access:
 
 4. Select **Action** > **Revoke access**.
 
-The user will no longer be able to log in to any application protected by Access. The user will still count towards your seat subscription until you [remove the user](/cloudflare-one/identity/users/seat-management) from your account.
+The user will no longer be able to log in to any application protected by Access. The user will still count towards your seat subscription until you [remove the user](/cloudflare-one/team-and-resources/users/seat-management) from your account.
 
 ### Subsequent Logins
 
diff --git a/src/content/docs/cloudflare-one/traffic-policies/identity-selectors.mdx b/src/content/docs/cloudflare-one/traffic-policies/identity-selectors.mdx
index 7be3c64904e80fd..fb439cc558f4059 100644
--- a/src/content/docs/cloudflare-one/traffic-policies/identity-selectors.mdx
+++ b/src/content/docs/cloudflare-one/traffic-policies/identity-selectors.mdx
@@ -24,7 +24,7 @@ To view the identity that Gateway will use when evaluating policies, check the [
 
 ### Automatic SCIM IdP updates
 
-Gateway will automatically detect changes in user name, title, and group membership for IdPs configured with System for Cross-domain Identity Management (SCIM) provisioning. For more information, refer to [SCIM provisioning](/cloudflare-one/identity/users/scim/).
+Gateway will automatically detect changes in user name, title, and group membership for IdPs configured with System for Cross-domain Identity Management (SCIM) provisioning. For more information, refer to [SCIM provisioning](/cloudflare-one/team-and-resources/users/scim/).
 
 ### Extended email addresses
 
diff --git a/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx b/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx
index a6fdfb28f5b5cc0..92b9af68eea61e4 100644
--- a/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/ai-wrapper-tenant-control.mdx
@@ -411,7 +411,7 @@ To secure the AI agent wrapper to ensure that only trusted users can access it:
 4. Enter a name for your AI agent wrapper application.
 5. In **Session Duration**, choose when the user's application token should expire.
 6. Select **Add public hostname** and enter the custom domain you set for your Worker.
-7. [Configure your Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) for your Worker.
+7. [Configure your Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for your Worker.
 8. Add [Access policies](/cloudflare-one/access-controls/policies/policy-management/) to control who can connect to your application.
 
 Now your AI wrapper can only be accessed by your users that successfully match your Access policies.
diff --git a/src/content/docs/cloudflare-one/tutorials/cli.mdx b/src/content/docs/cloudflare-one/tutorials/cli.mdx
index bdf803443466bee..53da6242299bcf6 100644
--- a/src/content/docs/cloudflare-one/tutorials/cli.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/cli.mdx
@@ -39,7 +39,7 @@ If the browser window does not launch, you can use the unique URL that is automa
 
 1. Once you have successfully authenticated, the browser returns the token to `cloudflared` in a cryptographic transfer and stores it.
 
-The token is valid for the [session duration](/cloudflare-one/identity/users/session-management/) configured by the Access administrator.
+The token is valid for the [session duration](/cloudflare-one/team-and-resources/users/session-management/) configured by the Access administrator.
 
 ## Access your API
 
diff --git a/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx b/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx
index c3d950cf6bf65cc..5edec29a25fe517 100644
--- a/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx
@@ -87,6 +87,6 @@ To enforce your Conditional Access policies on a Cloudflare Access application:
 
 8. For **Identity providers**, select your Microsoft Entra ID integration.
 
-9. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to publish the application.
+9. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to publish the application.
 
 Users will only be allowed access if they pass the Microsoft Entra ID Conditional Access policies associated with this authentication context.
diff --git a/src/content/docs/cloudflare-one/tutorials/extend-sso-with-workers.mdx b/src/content/docs/cloudflare-one/tutorials/extend-sso-with-workers.mdx
index 719c47ec8e473d7..9a5ec361a4709da 100644
--- a/src/content/docs/cloudflare-one/tutorials/extend-sso-with-workers.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/extend-sso-with-workers.mdx
@@ -41,7 +41,7 @@ This approach allows you to:
 
 ## Before you begin
 
-- Add a [self-hosted application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to Cloudflare Access.
+- Add a [self-hosted application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to Cloudflare Access.
 - Enable the [Disk encryption](/cloudflare-one/identity/devices/warp-client-checks/disk-encryption/) and [Firewall](/cloudflare-one/identity/devices/warp-client-checks/firewall/) device posture checks.
 - Install [Wrangler](/workers/wrangler/install-and-update/) on your local machine.
 
diff --git a/src/content/docs/cloudflare-one/tutorials/fastapi.mdx b/src/content/docs/cloudflare-one/tutorials/fastapi.mdx
index d32391ee87f1b97..9ef9db919989586 100644
--- a/src/content/docs/cloudflare-one/tutorials/fastapi.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/fastapi.mdx
@@ -15,7 +15,7 @@ This tutorial covers how to validate that the [Access JWT](/cloudflare-one/ident
 
 ## Prerequisites
 
-* A [self-hosted Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) for your FastAPI app
+* A [self-hosted Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) for your FastAPI app
 * The [AUD tag](/cloudflare-one/identity/authorization-cookie/validating-json/#get-your-aud-tag) for your Access application
 
 ## 1. Create a validation function
diff --git a/src/content/docs/cloudflare-one/tutorials/kubectl.mdx b/src/content/docs/cloudflare-one/tutorials/kubectl.mdx
index 03e9dca7c27daaa..61a056e2c1143e5 100644
--- a/src/content/docs/cloudflare-one/tutorials/kubectl.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/kubectl.mdx
@@ -35,7 +35,7 @@ You can connect to machines over `kubectl` using Cloudflare's Zero Trust platfor
 4. Enter a name for your Access application.
 5. Select **Add public hostname** and input a subdomain. This will be the hostname where your application will be available to users.
 6. [Create a new policy](/cloudflare-one/access-controls/policies/policy-management/) to control who can reach the application, or select existing policies.
-7. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to publish the application.
+7. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to publish the application.
 
 ## Install `cloudflared`
 
diff --git a/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx b/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx
index 009efae0dd52b19..4deeeab9d36de8c 100644
--- a/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/mongodb-tunnel.mdx
@@ -43,7 +43,7 @@ You can build a rule in Cloudflare Access to control who can connect to your Mon
 
 6. Add [Access policies](/cloudflare-one/access-controls/policies/) to control who can reach the deployment. You can build a policy that allows anyone in your organization to connect or you can build more granular policies based on signals like identity provider groups, [multifactor method](/cloudflare-one/tutorials/okta-u2f/), or [country](/cloudflare-one/access-controls/policies/groups/).
 
-7. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to publish the application.
+7. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to publish the application.
 
 ## Configure the Kubernetes deployment
 
diff --git a/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx b/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx
index 8c783ee1e8554ac..ef7863fd2d681e8 100644
--- a/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/s3-buckets.mdx
@@ -114,7 +114,7 @@ Your Cloudflare Tunnel will terminate at the AWS VPC using your public hostname.
 4. Enter a name for the application.
 5. Select **Add public hostname** and enter the public hostname used by your Tunnel. For example, `s3-bucket.<your-domain>.com`.
 6. Add [Access policies](/cloudflare-one/access-controls/policies/) to determine which users and applications may access your bucket. You can optionally create a [service token](/cloudflare-one/identity/service-tokens/) policy to automatically authenticate access to your S3 bucket.
-7. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to publish the application.
+7. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to publish the application.
 
 Users and applications that successfully authenticate via Cloudflare Access can access your S3 bucket at `https://s3-bucket.<your-domain>.com`.
 
diff --git a/src/content/docs/email-security/account-setup/sso/access.mdx b/src/content/docs/email-security/account-setup/sso/access.mdx
index 337864b6526030b..cf4bfcda0b829d1 100644
--- a/src/content/docs/email-security/account-setup/sso/access.mdx
+++ b/src/content/docs/email-security/account-setup/sso/access.mdx
@@ -1,7 +1,7 @@
 ---
 pcx_content_type: navigation
 title: Cloudflare Access for SaaS
-external_link: /cloudflare-one/access-controls/applications/configure-apps/saas-apps/area-1/
+external_link: /cloudflare-one/access-controls/applications/http-apps/saas-apps/area-1/
 sidebar:
   order: 4
 
diff --git a/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx b/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx
index 5df3eb627b48803..022d07898056bfb 100644
--- a/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx
+++ b/src/content/docs/fundamentals/account/account-security/scim-setup/index.mdx
@@ -7,7 +7,7 @@ title: SCIM provisioning
 Cloudflare supports bulk provisioning of users into the Cloudflare dashboard by using the System for Cross-domain Identity Management (SCIM) protocol. This allows you to connect an external identity provider (IdP) to Cloudflare, quickly onboard and manage user permissions. Currently, SCIM provisioning has been integrated with Okta and Microsoft Entra.
 
 :::note
-This section covers SCIM provisioning for the Cloudflare dashboard. If you need to provision SCIM for Cloudflare Zero Trust, refer to [Zero Trust SCIM provisioning](/cloudflare-one/identity/users/scim/).
+This section covers SCIM provisioning for the Cloudflare dashboard. If you need to provision SCIM for Cloudflare Zero Trust, refer to [Zero Trust SCIM provisioning](/cloudflare-one/team-and-resources/users/scim/).
 :::
 
 ## Objectives
diff --git a/src/content/docs/fundamentals/performance/maintenance-mode.mdx b/src/content/docs/fundamentals/performance/maintenance-mode.mdx
index 848396adf0876ad..1655965e7487295 100644
--- a/src/content/docs/fundamentals/performance/maintenance-mode.mdx
+++ b/src/content/docs/fundamentals/performance/maintenance-mode.mdx
@@ -23,7 +23,7 @@ Certain customization and queue options depend on your [plan](/waiting-room/plan
 
 ### All plans
 
-Users on all plans can [create an Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/). Make sure to limit your [Access policy](/cloudflare-one/access-controls/policies/policy-management/#create-a-policy) to only include yourself and any collaborators.
+Users on all plans can [create an Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). Make sure to limit your [Access policy](/cloudflare-one/access-controls/policies/policy-management/#create-a-policy) to only include yourself and any collaborators.
 
 If needed, you can also further [customize the login page](/cloudflare-one/applications/login-page).
 
diff --git a/src/content/docs/learning-paths/clientless-access/migrate-applications/integrated-sso.mdx b/src/content/docs/learning-paths/clientless-access/migrate-applications/integrated-sso.mdx
index b8fbd8e103c6137..c6768a2e3864f72 100644
--- a/src/content/docs/learning-paths/clientless-access/migrate-applications/integrated-sso.mdx
+++ b/src/content/docs/learning-paths/clientless-access/migrate-applications/integrated-sso.mdx
@@ -32,7 +32,7 @@ If your applications use integrated SSO, there are a number of different paths y
 | [Present applications exclusively on Cloudflare domains](#recommended-solution)                                                | Change SSO ACS URL to the Cloudflare Tunnel public hostname                                                        | <li> Increased security posture </li> <li> No changes to application code</li> <li> No changes to internal DNS design </li>                                                 | Hard cutover event when ACS URL changes from internal to external domain                                                 |
 | Present applications on existing internal domains with identical external domains delegated to Cloudflare                      | Add domains to Cloudflare that match internal domains                                                              | <li> No changes to SSO ACS URL </li> <li> No change for end users </li>                                                                                                     | <li> Requires careful management of internal and external domains </li> <li> Requires changing internal DNS design </li> |
 | [Consume the Cloudflare JWT in internal applications](/learning-paths/clientless-access/migrate-applications/consume-jwt/) | <li> Remove integrated SSO </li> <li> Update application to accept the Cloudflare JWT for user authorization </li> | <li> Reduced authentication burden for end users </li> <li> No changes to internal DNS design </li> <li> Instantly secure applications without direct SSO integration </li> | <li> Requires changing application code </li> <li> Hard cutover event when application updates </li>                     |
-| Use Cloudflare as the direct SSO integration, which then calls your IdP of choice (Okta, OneLogin, etc.)                       | Swap existing SSO provider for [Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/)           | <li> Increased flexibility for changing IdPs </li> <li> Ability to use multiple IdPs simultaneously </li>                                                                   | <li> Hard cutover event for IdP changes </li> <li> No SCIM provisioning for application </li>                            |
+| Use Cloudflare as the direct SSO integration, which then calls your IdP of choice (Okta, OneLogin, etc.)                       | Swap existing SSO provider for [Access for SaaS](/cloudflare-one/access-controls/applications/http-apps/saas-apps/)           | <li> Increased flexibility for changing IdPs </li> <li> Ability to use multiple IdPs simultaneously </li>                                                                   | <li> Hard cutover event for IdP changes </li> <li> No SCIM provisioning for application </li>                            |
 
 ## Recommended solution
 
diff --git a/src/content/docs/learning-paths/holistic-ai-security/secure-approved-ai-models-tools/index.mdx b/src/content/docs/learning-paths/holistic-ai-security/secure-approved-ai-models-tools/index.mdx
index 88366afd590eb67..2ed364f0cf2d817 100644
--- a/src/content/docs/learning-paths/holistic-ai-security/secure-approved-ai-models-tools/index.mdx
+++ b/src/content/docs/learning-paths/holistic-ai-security/secure-approved-ai-models-tools/index.mdx
@@ -42,7 +42,7 @@ This section will discuss the process of consolidating and securing access to yo
 
 The Model Context Protocol supports [OAuth 2.1 for authorization](https://modelcontextprotocol.io/specification/2025-06-18/basic/authorization). You can configure your MCP server to use Cloudflare Access as its OAuth provider. This allows you to secure the MCP server with Access policies, using signals from your existing identity providers (IdPs), device posture providers, and other rules to control who can log in to the server. Once the user is authenticated through Access, Access passes an OAuth ID token to the MCP server. You can then implement server-side access controls based on the user identity attributes included in the token. For example, you may wish to limit access to specific tools based on user emails.
 
-To set up the Cloudflare Access OAuth integration, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/saas-mcp/).
+To set up the Cloudflare Access OAuth integration, refer to [Secure MCP servers with Access for SaaS](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/saas-mcp/).
 
 ### Consolidate MCP servers into a portal
 
@@ -50,4 +50,4 @@ MCP server portals allow you to centralize management of your MCP servers and to
 
 To define user access to your systems, you can configure Access policies for a portal as a whole while maintaining granular access control for the MCP servers that a user sees in their portals. Additionally, you can turn on or off the individual tools available through the portal and only expose the tools relevant for your specific use case. Prompts and responses made using the portal are logged in Cloudflare Access, providing you with visibility into how users are interacting with your MCP servers.
 
-To get started with MCP server portals, refer to [MCP server portals](/cloudflare-one/access-controls/applications/configure-apps/mcp-servers/mcp-portals/).
+To get started with MCP server portals, refer to [MCP server portals](/cloudflare-one/access-controls/applications/http-apps/mcp-servers/mcp-portals/).
diff --git a/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx b/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx
index f3f0534d47cb7ec..7f9278d5a994a17 100644
--- a/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx
+++ b/src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx
@@ -114,7 +114,7 @@ Additionally, authenticated requests also send the `Cf-Access-Jwt-Assertion\` JW
 
 ## 4. Create the self-hosted applications
 
-Finally, the hostname you want to protect with mTLS needs to be added as a [self-hosted app](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) in Cloudflare Access, defining an [Access Policy](/cloudflare-one/access-controls/policies/) which uses the action [Service Auth](/cloudflare-one/access-controls/policies/#service-auth) and the Selector _"Valid Certificate"_, or simply requiring an [IdP](/cloudflare-one/integrations/identity-providers/) authentication. You can also take advantage of extra requirements, such as the "Common Name" (CN), which expects the indicated hostname, and more [Selectors](/cloudflare-one/access-controls/policies/#selectors). Alternatively, one can also [extend ZTNA with external authorization and serverless computing](/reference-architecture/diagrams/sase/augment-access-with-serverless/).
+Finally, the hostname you want to protect with mTLS needs to be added as a [self-hosted app](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) in Cloudflare Access, defining an [Access Policy](/cloudflare-one/access-controls/policies/) which uses the action [Service Auth](/cloudflare-one/access-controls/policies/#service-auth) and the Selector _"Valid Certificate"_, or simply requiring an [IdP](/cloudflare-one/integrations/identity-providers/) authentication. You can also take advantage of extra requirements, such as the "Common Name" (CN), which expects the indicated hostname, and more [Selectors](/cloudflare-one/access-controls/policies/#selectors). Alternatively, one can also [extend ZTNA with external authorization and serverless computing](/reference-architecture/diagrams/sase/augment-access-with-serverless/).
 
 ## Demo
 
diff --git a/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx b/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx
index 91478741c03bf61..0732886786c56f5 100644
--- a/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx
+++ b/src/content/docs/learning-paths/secure-internet-traffic/secure-saas-applications/sso-front-door.mdx
@@ -8,7 +8,7 @@ sidebar:
 
 ---
 
-[Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/) functions as an identity proxy to add an additional authentication layer to your SaaS apps.
+[Access for SaaS](/cloudflare-one/access-controls/applications/http-apps/saas-apps/) functions as an identity proxy to add an additional authentication layer to your SaaS apps.
 
 Access for SaaS integrates directly with your SaaS app using standard protocols (such as SAML) to become the primary enforcement point for user access. Access calls your identity provider (IdP) of choice and uses additional security signals about your users and devices to make policy decisions. Benefits of Access for SaaS include:
 
diff --git a/src/content/docs/pages/how-to/preview-with-cloudflare-tunnel.mdx b/src/content/docs/pages/how-to/preview-with-cloudflare-tunnel.mdx
index f3e45bdd66d30c0..4502c80cf747b1e 100644
--- a/src/content/docs/pages/how-to/preview-with-cloudflare-tunnel.mdx
+++ b/src/content/docs/pages/how-to/preview-with-cloudflare-tunnel.mdx
@@ -59,4 +59,4 @@ In this example, the randomly-generated URL `https://seasonal-deck-organisms-sf.
 
 Cloudflare Tunnel can be configured in a variety of ways and can be used beyond providing access to your in-development applications. For example, you can provide `cloudflared` with a [configuration file](/cloudflare-one/networks/connectors/cloudflare-tunnel/do-more-with-tunnels/local-management/configuration-file/) to add more complex routing and tunnel setups that go beyond a simple `--url` flag. You can also [attach a Cloudflare DNS record](/cloudflare-one/networks/connectors/cloudflare-tunnel/routing-to-tunnel/dns/) to a domain or subdomain for an easily accessible, long-lived tunnel to your local machine.
 
-Finally, by incorporating Cloudflare Access, you can provide [secure access to your tunnels](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) without exposing your entire server, or compromising on security. Refer to the [Cloudflare for Teams documentation](/cloudflare-one/) to learn more about what you can do with Cloudflare's entire suite of Zero Trust tools.
+Finally, by incorporating Cloudflare Access, you can provide [secure access to your tunnels](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) without exposing your entire server, or compromising on security. Refer to the [Cloudflare for Teams documentation](/cloudflare-one/) to learn more about what you can do with Cloudflare's entire suite of Zero Trust tools.
diff --git a/src/content/docs/r2/tutorials/cloudflare-access.mdx b/src/content/docs/r2/tutorials/cloudflare-access.mdx
index e7dfb3a2dd1906f..91dc6d23e99725f 100644
--- a/src/content/docs/r2/tutorials/cloudflare-access.mdx
+++ b/src/content/docs/r2/tutorials/cloudflare-access.mdx
@@ -8,7 +8,7 @@ description: >-
 
 import { Render } from "~/components";
 
-You can secure access to R2 buckets using [Cloudflare Access](/cloudflare-one/access-controls/applications/configure-apps/).
+You can secure access to R2 buckets using [Cloudflare Access](/cloudflare-one/access-controls/applications/http-apps/).
 
 Access allows you to only allow specific users, groups or applications within your organization to access objects within a bucket, or specific sub-paths, based on policies you define.
 
@@ -46,7 +46,7 @@ To create an Access application for your R2 bucket:
    Ensure that your policies only allow the users within your organization that need access to this R2 bucket.
    :::
 
-6. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to publish the application.
+6. Follow the remaining [self-hosted application creation steps](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to publish the application.
 
 ## 3. Connect a custom domain
 
@@ -66,10 +66,10 @@ Visit the custom domain you connected to your R2 bucket, which should present a
 
 For example, if you connected Google and/or GitHub identity providers, you can log in with those providers. If the login is successful and you pass the Access policies configured in this guide, you will be able to access (read/download) objects within the R2 bucket.
 
-If you cannot authenticate or receive a block page after authenticating, check that you have an [Access policy](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/#1-add-your-application-to-access) configured within your Access application that explicitly allows the group your user account is associated with.
+If you cannot authenticate or receive a block page after authenticating, check that you have an [Access policy](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/#1-add-your-application-to-access) configured within your Access application that explicitly allows the group your user account is associated with.
 
 ## Next steps
 
-- Learn more about [Access applications](/cloudflare-one/access-controls/applications/configure-apps/) and how to configure them.
+- Learn more about [Access applications](/cloudflare-one/access-controls/applications/http-apps/) and how to configure them.
 - Understand how to use [pre-signed URLs](/r2/api/s3/presigned-urls/) to issue time-limited and prefix-restricted access to objects for users not within your organization.
 - Review the [documentation on using API tokens to authenticate](/r2/api/tokens/) against R2 buckets.
diff --git a/src/content/docs/reference-architecture/design-guides/designing-ztna-access-policies.mdx b/src/content/docs/reference-architecture/design-guides/designing-ztna-access-policies.mdx
index 017d9308c4449a5..2a6de928006a838 100644
--- a/src/content/docs/reference-architecture/design-guides/designing-ztna-access-policies.mdx
+++ b/src/content/docs/reference-architecture/design-guides/designing-ztna-access-policies.mdx
@@ -66,7 +66,7 @@ Once we have established connectivity to your applications, it is time to facili
 
 ### Identity
 
-A critical part of application access is authenticating a user. Cloudflare has a [built-in authentication](/cloudflare-one/integrations/identity-providers/one-time-pin/) method based on email. But we highly recommend configuring a third-party identity provider. We support both consumer and enterprise [identity providers](/cloudflare-one/identity/), and any SAML or OpenID compliant service can be used. Group membership is one of the most common attributes of defining application access and can be defined manually or imported using the System for Cross-Domain Identity Management ([SCIM](/cloudflare-one/identity/users/scim/)).
+A critical part of application access is authenticating a user. Cloudflare has a [built-in authentication](/cloudflare-one/integrations/identity-providers/one-time-pin/) method based on email. But we highly recommend configuring a third-party identity provider. We support both consumer and enterprise [identity providers](/cloudflare-one/identity/), and any SAML or OpenID compliant service can be used. Group membership is one of the most common attributes of defining application access and can be defined manually or imported using the System for Cross-Domain Identity Management ([SCIM](/cloudflare-one/team-and-resources/users/scim/)).
 
 ### Device posture
 
@@ -169,7 +169,7 @@ There are many different [types of selectors](/cloudflare-one/access-controls/po
 
   You can configure this control by enabling the "gateway" device posture check and then requiring "gateway" in your application policies. Requiring "gateway" is more flexible than relying solely on the device agent because users can also on-ramp from Browser Isolation or a Magic WAN-connected site, both of which provide traffic logging and filtering. Additionally, when using the device agent, this allows you to guarantee that a user is coming from a compliant device that has passed a set of device posture checks.
 
-  Requiring the gateway is enforced continuously for [self-hosted applications](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/). For SaaS apps, it is only enforced at the time of login. However, a dedicated egress IP can be leveraged in tandem to enforce that traffic always goes via Cloudflare Gateway.
+  Requiring the gateway is enforced continuously for [self-hosted applications](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/). For SaaS apps, it is only enforced at the time of login. However, a dedicated egress IP can be leveraged in tandem to enforce that traffic always goes via Cloudflare Gateway.
 
 - **Does the user belong to an existing group, or have specific identity attributes?**
   If your IdP supports SCIM, group membership information can be imported into Cloudflare, where it can be used in policies. Group information can also come from the SAML or OAuth data sent as part of authentication. In fact, when OIDC or SAML is used and claims are sent, they can be used in a policy. So if your users authenticate to your IDP using SAML, and the resulting token contains their "role," you can query that value in the rule.
diff --git a/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx b/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx
index 4ff643a09d4a023..d828c31ec5c899d 100644
--- a/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx
+++ b/src/content/docs/reference-architecture/design-guides/network-vpn-migration.mdx
@@ -202,7 +202,7 @@ In the example below, `erp.example.com` is added as [Public Hostname](/cloudflar
 
 ![Adding a public hostname to a tunnel for clientless access to internal applications.](~/assets/images/reference-architecture/design-guide-network-vpn-migr/clientless-access.svg "Figure 7: Adding a public hostname to a tunnel for clientless access to internal applications.")
 
-Not all applications will be suitable for this type of access. Only HTTP(S) applications or [applications that can be rendered in the browser](/cloudflare-one/access-controls/applications/non-http/) such as SSH and VNC are supported. To learn more about such a deployment and additional advanced options such cookie settings, browser isolation and using the Access token in your application for authentication, see the [self-hosted application documentation](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/).
+Not all applications will be suitable for this type of access. Only HTTP(S) applications or [applications that can be rendered in the browser](/cloudflare-one/access-controls/applications/non-http/) such as SSH and VNC are supported. To learn more about such a deployment and additional advanced options such cookie settings, browser isolation and using the Access token in your application for authentication, see the [self-hosted application documentation](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/).
 
 ## Summary
 
diff --git a/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx b/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx
index d5dd3f88270e535..8e9f6d0336dcc07 100644
--- a/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx
+++ b/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx
@@ -262,7 +262,7 @@ For Cloudflare users, this offers a number of advantages: it helps streamline au
 
 ### Where does Cloudflare fit in?
 
-We recommend using our Cloudflare Access product for remote access to your internal services (by way of our Cloudflare Tunnel software in your network). With Cloudflare Access, you can [consume the JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) created by Cloudflare Access or use [Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/) to act as a SAML or OAUTH proxy for your private, self-hosted applications (which have SSO integrations pre-built into them).
+We recommend using our Cloudflare Access product for remote access to your internal services (by way of our Cloudflare Tunnel software in your network). With Cloudflare Access, you can [consume the JWT](/cloudflare-one/identity/authorization-cookie/validating-json/) created by Cloudflare Access or use [Access for SaaS](/cloudflare-one/access-controls/applications/http-apps/saas-apps/) to act as a SAML or OAUTH proxy for your private, self-hosted applications (which have SSO integrations pre-built into them).
 
 In a lot of cases, you may even use both products for application access. For example, if you're self-hosting [Sentry](https://sentry.io/) — which is not currently available on the public Internet — follow these steps:
 
@@ -400,7 +400,7 @@ This framework can also give your IT organization direction on which tools to co
 
 Cloudflare can help set a foundation for visibility and management of your [shadow IT](/cloudflare-one/insights/analytics/shadow-it-discovery/) environment and subsequent discoveries. User traffic to the Internet can be audited and organized from the WARP client and our [Secure Web Gateway (SWG)](/cloudflare-one/traffic-policies/), and can you understand where your sensitive data moves outside of your corporate-accepted SaaS tenants.
 
-This can then be an opportunity to further expand your Zero Trust strategy by ensuring those newly-discovered tools are either explicitly blocked or explicitly allowed, setting specific data security controls on them, or integrating them with your Zero Trust vendor (using something like [Access for SaaS](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/aws-sso-saas/) to apply security policies).
+This can then be an opportunity to further expand your Zero Trust strategy by ensuring those newly-discovered tools are either explicitly blocked or explicitly allowed, setting specific data security controls on them, or integrating them with your Zero Trust vendor (using something like [Access for SaaS](/cloudflare-one/access-controls/applications/http-apps/saas-apps/aws-sso-saas/) to apply security policies).
 
 ## Long-term management with APIs and Infrastructure as Code (IaC)
 
diff --git a/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx b/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx
index b052d799966ac5a..3776f34447a9387 100644
--- a/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx
+++ b/src/content/docs/reference-architecture/diagrams/security/securing-data-at-rest.mdx
@@ -31,7 +31,7 @@ When Cloudflare CASB is combined with Cloudflare's [Secure Web Gateway](/cloudfl
    1. For managed endpoints, we recommend deploying our [device agent](/cloudflare-one/team-and-resources/devices/warp/) to maximize visibility and control of all traffic between the end user’s device and the resources being requested.
    2. For unmanaged endpoints, we have [client-less solutions](/reference-architecture/diagrams/sase/sase-clientless-access-private-dns/) which all you to still have visibility over and inspection into the data accessed by users.
 
-2. Cloudflare's [Zero Trust Network Access](/cloudflare-one/access-controls/policies/) (ZTNA) service can integrate directly with your [SaaS applications](/cloudflare-one/access-controls/applications/configure-apps/saas-apps/) using standard protocols (e.g. SAML or OIDC) to become the initial enforcement point for user access. Access calls your [identity provider](/cloudflare-one/integrations/identity-providers/) (IdP) of choice and uses additional security signals about your users and devices to make policy decisions.
+2. Cloudflare's [Zero Trust Network Access](/cloudflare-one/access-controls/policies/) (ZTNA) service can integrate directly with your [SaaS applications](/cloudflare-one/access-controls/applications/http-apps/saas-apps/) using standard protocols (e.g. SAML or OIDC) to become the initial enforcement point for user access. Access calls your [identity provider](/cloudflare-one/integrations/identity-providers/) (IdP) of choice and uses additional security signals about your users and devices to make policy decisions.
 
 3. As an extension of what was covered in Securing data in use, Cloudflare [Remote Browser Isolation](/cloudflare-one/remote-browser-isolation/) (RBI) can also be used with [dedicated egress IPs](/cloudflare-one/traffic-policies/egress-policies/dedicated-egress-ips/), so that even remote clientless user’s traffic can arrive at the requested SaaS application from predictable and consistent IP addresses.
 
diff --git a/src/content/docs/security-center/security-insights/index.mdx b/src/content/docs/security-center/security-insights/index.mdx
index e59ec64c3dce1ba..d5e0413d96d62ca 100644
--- a/src/content/docs/security-center/security-insights/index.mdx
+++ b/src/content/docs/security-center/security-insights/index.mdx
@@ -44,7 +44,7 @@ Listed below are the specific insights currently available:
 | [Turn on JavaScript Detection](/bots/additional-configurations/javascript-detections/)                                                    | One or more of your Bot Management enabled zones does not have JavaScript Detection enabled, which is a critical part of our bot detection suite.                                                                                                      |
 | [Unassigned Access seats](/cloudflare-one/)                                                                                               | We detect a Zero Trust subscription that is not configured yet.                                                                                                                                                                                        |
 | [Unauthenticated API endpoints detected](/api-shield/management-and-monitoring/endpoint-labels/#managed-labels)                           | None of the successful requests against API endpoints carried session identifiers.                                                                                                                                                                     |
-| [Unprotected Cloudflare Tunnels](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/#4-connect-your-origin-to-cloudflare) | We detect an application that is served by a Cloudflare Tunnel but not protected by a corresponding Access policy.                                                                                                                                     |
+| [Unprotected Cloudflare Tunnels](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/#4-connect-your-origin-to-cloudflare) | We detect an application that is served by a Cloudflare Tunnel but not protected by a corresponding Access policy.                                                                                                                                     |
 | [Unproxied `A` Records](/dns/manage-dns-records/reference/dns-record-types/#a-and-aaaa)                                                   | This DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet.                                                                                                                     |
 | [Unproxied `AAAA` Records](/dns/manage-dns-records/reference/dns-record-types/#a-and-aaaa)                                                | This DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet.                                                                                                                     |
 | [Unproxied `CNAME` Records](/dns/proxy-status/#dns-only-records)                                                                          | This DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet.                                                                                                                     |
diff --git a/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx b/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx
index 01bc7d1aac91d9d..f79fb199ce0c7c3 100644
--- a/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx
+++ b/src/content/docs/ssl/post-quantum-cryptography/pqc-and-zero-trust.mdx
@@ -12,7 +12,7 @@ Refer to the sections below to learn about the use cases supported by the Zero T
 
 ## Agentless Cloudflare Access
 
-You can use [Cloudflare Access](/cloudflare-one/access-controls/policies/) [self-hosted applications](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) in an agentless configuration to protect your organization's Internet traffic to internal web applications. Refer to the [learning path](/learning-paths/clientless-access/initial-setup/) for detailed guidance.
+You can use [Cloudflare Access](/cloudflare-one/access-controls/policies/) [self-hosted applications](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) in an agentless configuration to protect your organization's Internet traffic to internal web applications. Refer to the [learning path](/learning-paths/clientless-access/initial-setup/) for detailed guidance.
 
 Even if the applications themselves have not yet migrated to post-quantum (PQ) cryptography, they will be protected against quantum threats.
 
diff --git a/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx b/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx
index 03a2182218ee526..e64a9c1f64d33de 100644
--- a/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx
+++ b/src/content/docs/support/third-party-software/content-management-system-cms/improving-web-security-for-content-management-systems-like-wordpress.mdx
@@ -83,7 +83,7 @@ Now that you’ve elevated your security to protect the publicly accessible part
 
 ### Zero Trust
 
-[Zero Trust](https://www.cloudflare.com/plans/zero-trust-services/) Web Applications is the best way to limit access to your admin panel. You can restrict access based on user instead of device, and it allows for very granular control. Setup of a Self-hosted web application is very easy, for more information refer to the [Self-hosted applications](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) section of the Zero Trust developer documentation.
+[Zero Trust](https://www.cloudflare.com/plans/zero-trust-services/) Web Applications is the best way to limit access to your admin panel. You can restrict access based on user instead of device, and it allows for very granular control. Setup of a Self-hosted web application is very easy, for more information refer to the [Self-hosted applications](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) section of the Zero Trust developer documentation.
 
 After configuring a web application, users will be required to authenticate in some way before they can access the restricted content. The default method is through email multifactor authentication:
 
diff --git a/src/content/docs/workers/examples/basic-auth.mdx b/src/content/docs/workers/examples/basic-auth.mdx
index 7fa3bd705e62a76..0632e141499a53f 100644
--- a/src/content/docs/workers/examples/basic-auth.mdx
+++ b/src/content/docs/workers/examples/basic-auth.mdx
@@ -26,7 +26,7 @@ This example Worker makes use of the [Node.js Buffer API](/workers/runtime-apis/
 
 :::caution[Caution when using in production]
 
-This code is provided as a sample, and is not suitable for production use. Basic Authentication sends credentials unencrypted, and must be used with an HTTPS connection to be considered secure. For a production-ready authentication system, consider using [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/).
+This code is provided as a sample, and is not suitable for production use. Basic Authentication sends credentials unencrypted, and must be used with an HTTPS connection to be considered secure. For a production-ready authentication system, consider using [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/).
 
 :::
 
diff --git a/src/content/partials/cloudflare-one/access/block-page.mdx b/src/content/partials/cloudflare-one/access/block-page.mdx
index 1f1605c83205c55..a54dd68d9b4da04 100644
--- a/src/content/partials/cloudflare-one/access/block-page.mdx
+++ b/src/content/partials/cloudflare-one/access/block-page.mdx
@@ -58,4 +58,4 @@ To create a custom block page for Access:
 
 8. Once you are satisfied with your custom page, select **Save**.
 
-You can now select this block page when you [configure an Access application](/cloudflare-one/access-controls/applications/configure-apps/).
+You can now select this block page when you [configure an Access application](/cloudflare-one/access-controls/applications/http-apps/).
diff --git a/src/content/partials/cloudflare-one/access/enable-isolation.mdx b/src/content/partials/cloudflare-one/access/enable-isolation.mdx
index f01805a8ff45c17..ab221690e865370 100644
--- a/src/content/partials/cloudflare-one/access/enable-isolation.mdx
+++ b/src/content/partials/cloudflare-one/access/enable-isolation.mdx
@@ -7,7 +7,7 @@ import { Render } from "~/components";
 <Render file="clientless-browser-isolation" product="cloudflare-one" />
 
 3. Go to **Access** > **Applications**.
-4. Choose a [self-hosted application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) and select **Configure**.
+4. Choose a [self-hosted application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) and select **Configure**.
 5. Go to **Policies**.
 6. Choose an [Allow policy](/cloudflare-one/access-controls/policies/) and select **Configure**.
 7. Under **Additional settings**, turn on **Isolate application**.
diff --git a/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx b/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx
index 07b8b0b196efdbf..566ba1f699efe41 100644
--- a/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx
+++ b/src/content/partials/cloudflare-one/access/enable-scim-on-dashboard.mdx
@@ -14,15 +14,15 @@ import { Markdown } from "~/components"
 
 4. (Optional) Configure the following settings:
 
-* **Enable user deprovisioning**: [Revoke a user's active session](/cloudflare-one/identity/users/session-management/#per-user) when they are removed from the SCIM application in {props.idp}. This will invalidate all active Access sessions and prompt for reauthentication for any [WARP session policies](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions/).
-* **Remove user seat on deprovision**: [Remove a user's seat](/cloudflare-one/identity/users/seat-management/) from your Zero Trust account when they are removed from the SCIM application in {props.idp}.
+* **Enable user deprovisioning**: [Revoke a user's active session](/cloudflare-one/team-and-resources/users/session-management/#per-user) when they are removed from the SCIM application in {props.idp}. This will invalidate all active Access sessions and prompt for reauthentication for any [WARP session policies](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions/).
+* **Remove user seat on deprovision**: [Remove a user's seat](/cloudflare-one/team-and-resources/users/seat-management/) from your Zero Trust account when they are removed from the SCIM application in {props.idp}.
 * **SCIM identity update behavior**: Choose what happens in Zero Trust when the user's identity updates in {props.idp}.
 	- _Automatic identity updates_: Automatically update the [User Registry identity](/cloudflare-one/insights/logs/users/) when {props.idp} sends an updated identity or group membership through SCIM. This identity is used for Gateway policies and WARP [device profiles](/cloudflare-one/team-and-resources/devices/warp/configure-warp/device-profiles/); Access will read the user's updated identity when they reauthenticate.
-	- _Group membership change reauthentication_: [Revoke a user's active session](/cloudflare-one/identity/users/session-management/#per-user) when their group membership changes in {props.idp}. This will invalidate all active Access sessions and prompt for reauthentication for any [WARP session policies](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions/). Access will read the user's updated group membership when they reauthenticate.
+	- _Group membership change reauthentication_: [Revoke a user's active session](/cloudflare-one/team-and-resources/users/session-management/#per-user) when their group membership changes in {props.idp}. This will invalidate all active Access sessions and prompt for reauthentication for any [WARP session policies](/cloudflare-one/team-and-resources/devices/warp/configure-warp/warp-sessions/). Access will read the user's updated group membership when they reauthenticate.
 	- _No action_: Update the user's identity the next time they reauthenticate to Access or WARP.
 
 5. Select **Regenerate Secret**. Copy the **SCIM Endpoint** and **SCIM Secret**. You will need to enter these values into {props.idp}.
 
-6. Select **Save**. 
+6. Select **Save**.
 
 The SCIM secret never expires, but you can manually regenerate the secret at any time.
diff --git a/src/content/partials/cloudflare-one/access/self-hosted-app/create-app.mdx b/src/content/partials/cloudflare-one/access/self-hosted-app/create-app.mdx
index 5c57c4fb2c84f0b..2860de52f35ad3f 100644
--- a/src/content/partials/cloudflare-one/access/self-hosted-app/create-app.mdx
+++ b/src/content/partials/cloudflare-one/access/self-hosted-app/create-app.mdx
@@ -16,7 +16,7 @@ import { Render } from "~/components"
 
 5. In **Session Duration**, choose how often the user's [application token](/cloudflare-one/identity/authorization-cookie/application-token/) should expire.
 
-   Cloudflare checks every HTTP request to your application for a valid application token. If the user's application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to [Session management](/cloudflare-one/identity/users/session-management/).
+   Cloudflare checks every HTTP request to your application for a valid application token. If the user's application token (and global token) has expired, they will be prompted to reauthenticate with the IdP. For more information, refer to [Session management](/cloudflare-one/team-and-resources/users/session-management/).
 
 	{
 	props.private && (
diff --git a/src/content/partials/cloudflare-one/access/self-hosted-app/ssh-sessions.mdx b/src/content/partials/cloudflare-one/access/self-hosted-app/ssh-sessions.mdx
index ca8503c7fd89819..ac412947ed3a64f 100644
--- a/src/content/partials/cloudflare-one/access/self-hosted-app/ssh-sessions.mdx
+++ b/src/content/partials/cloudflare-one/access/self-hosted-app/ssh-sessions.mdx
@@ -2,4 +2,4 @@
 {}
 ---
 
-Cloudflare does not control the length of an active SSH, VNC, or RDP session. [Application session durations](/cloudflare-one/identity/users/session-management/) determine the window in which a user can initiate a new connection or refresh an existing one.
\ No newline at end of file
+Cloudflare does not control the length of an active SSH, VNC, or RDP session. [Application session durations](/cloudflare-one/team-and-resources/users/session-management/) determine the window in which a user can initiate a new connection or refresh an existing one.
\ No newline at end of file
diff --git a/src/content/partials/cloudflare-one/ssh/tunnel-public-hostname.mdx b/src/content/partials/cloudflare-one/ssh/tunnel-public-hostname.mdx
index 200bb0cae25fb9f..a4028b6034c16ca 100644
--- a/src/content/partials/cloudflare-one/ssh/tunnel-public-hostname.mdx
+++ b/src/content/partials/cloudflare-one/ssh/tunnel-public-hostname.mdx
@@ -10,4 +10,4 @@
 
 4. Select **Save**.
 
-5. (Recommended) Add a [self-hosted application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to Cloudflare Access in order to manage access to your server.
+5. (Recommended) Add a [self-hosted application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to Cloudflare Access in order to manage access to your server.
diff --git a/src/content/partials/cloudflare-one/tunnel/cloud-public-hostname.mdx b/src/content/partials/cloudflare-one/tunnel/cloud-public-hostname.mdx
index e7eb2263edef231..9e70a1198bb9fb7 100644
--- a/src/content/partials/cloudflare-one/tunnel/cloud-public-hostname.mdx
+++ b/src/content/partials/cloudflare-one/tunnel/cloud-public-hostname.mdx
@@ -10,4 +10,4 @@
 3. Select **Save**.
 4. To test, open a browser and go to `http://hellocloudflare.<your-domain>.com`. You should see the **Hello Cloudflare!** test page.
 
-You can optionally [create an Access application](/cloudflare-one/access-controls/applications/configure-apps/self-hosted-public-app/) to control who can access the service.
+You can optionally [create an Access application](/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/) to control who can access the service.
diff --git a/src/content/partials/cloudflare-one/warp/manually-reauth.mdx b/src/content/partials/cloudflare-one/warp/manually-reauth.mdx
index bf2d98997998228..2b1c2100fdcd93a 100644
--- a/src/content/partials/cloudflare-one/warp/manually-reauth.mdx
+++ b/src/content/partials/cloudflare-one/warp/manually-reauth.mdx
@@ -6,4 +6,4 @@ To manually refresh your Cloudflare Access session and update your group informa
 
 `https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/refresh-identity`
 
-Reauthenticating resets your [session duration](/cloudflare-one/identity/users/session-management/) and fetches the latest group information from the organization's IdP.
\ No newline at end of file
+Reauthenticating resets your [session duration](/cloudflare-one/team-and-resources/users/session-management/) and fetches the latest group information from the organization's IdP.
\ No newline at end of file
diff --git a/src/content/partials/fundamentals/account-permissions-table.mdx b/src/content/partials/fundamentals/account-permissions-table.mdx
index 7035aca54e4ef26..9c8fce1fdc78213 100644
--- a/src/content/partials/fundamentals/account-permissions-table.mdx
+++ b/src/content/partials/fundamentals/account-permissions-table.mdx
@@ -9,7 +9,7 @@ import { Markdown } from "~/components";
 | Name                                                                                                       | Description                                                                                                                                             |
 | ---------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | Access: Apps and Policies Read                                                                             | Grants read access to [Cloudflare Access](/cloudflare-one/access-controls/policies/) applications and policies                                          |
-| Access: Apps and Policies Revoke                                                                           | Grants ability to revoke [Cloudflare Access application tokens](/cloudflare-one/identity/users/session-management/)                                     |
+| Access: Apps and Policies Revoke                                                                           | Grants ability to revoke [Cloudflare Access application tokens](/cloudflare-one/team-and-resources/users/session-management/)                                     |
 | Access: Apps and Policies {props.editWord}                                                                 | Grants write access to [Cloudflare Access](/cloudflare-one/access-controls/policies/) applications and policies                                         |
 | Access: Audit Logs Read                                                                                    | Grants read access to [Cloudflare Access audit logs](/cloudflare-one/insights/logs/audit-logs/).                                                        |
 | Access: Custom Pages Read                                                                                  | Grants read access to [Cloudflare Access custom block pages](/cloudflare-one/applications/block-page/).                                                 |
@@ -151,4 +151,4 @@ import { Markdown } from "~/components";
 | Zero Trust Report                                                                                          | Grants reporting access to [Cloudflare Zero Trust](/cloudflare-one/).                                                                                   |
 | Zero Trust {props.editWord}                                                                                | Grants write access to [Cloudflare Zero Trust](/cloudflare-one/) resources.                                                                             |
 | Zero Trust: PII Read                                                                                       | Grants read access to [Cloudflare Zero Trust](/cloudflare-one/) PII.                                                                                    |
-| Zero Trust: Seats {props.editWord}                                                                         | Grants write access to the number of [Zero Trust seats](/cloudflare-one/identity/users/seat-management/) your organization can use (and be billed for). |
+| Zero Trust: Seats {props.editWord}                                                                         | Grants write access to the number of [Zero Trust seats](/cloudflare-one/team-and-resources/users/seat-management/) your organization can use (and be billed for). |