diff --git a/public/__redirects b/public/__redirects
index 63af00027f97007..7723558689509ec 100644
--- a/public/__redirects
+++ b/public/__redirects
@@ -2264,6 +2264,7 @@
 
 # Cloudflare One nav revamp (statics)
 /cloudflare-one/access-controls/applications/http-apps/mcp-servers/mcp-portals/ /cloudflare-one/access-controls/ai-controls/mcp-portals/ 301
+/cloudflare-one/api-terraform/access-with-terraform/ /learning-paths/clientless-access/terraform/publish-apps-with-terraform/ 301
 /cloudflare-one/applications/ /cloudflare-one/access-controls/applications/http-apps/ 301
 /cloudflare-one/applications/app-launcher/ /cloudflare-one/access-controls/access-settings/app-launcher/ 301
 /cloudflare-one/applications/app-library/ /cloudflare-one/team-and-resources/app-library/ 301
@@ -2407,6 +2408,7 @@
 /cloudflare-one/policies/browser-isolation/* /cloudflare-one/remote-browser-isolation/:splat 301
 /cloudflare-one/policies/data-loss-prevention/* /cloudflare-one/data-loss-prevention/:splat 301
 /cloudflare-one/policies/gateway/* /cloudflare-one/traffic-policies/:splat 301
+/cloudflare-one/api-terraform/access-api-examples/* /api/resources/zero_trust/subresources/access/subresources/policies/ 301
 
 # Email Security new revamp (dynamics)
 /cloudflare-one/email-security/detection-settings/detection-settings/* /cloudflare-one/email-security/settings/detection-settings/:splat 301
diff --git a/src/content/docs/cloudflare-one/api-terraform.mdx b/src/content/docs/cloudflare-one/api-terraform.mdx
new file mode 100644
index 000000000000000..db33645c3bba3aa
--- /dev/null
+++ b/src/content/docs/cloudflare-one/api-terraform.mdx
@@ -0,0 +1,32 @@
+---
+pcx_content_type: concept
+title: API and Terraform
+sidebar:
+  order: 15
+---
+
+
+You can manage your Cloudflare Zero Trust configuration using the API or Terraform. For more information, refer to the following links:
+
+- [API reference](/api/)
+- [Terraform provider reference](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs)
+- [Terraform how-to documentation](/terraform/)
+
+Detailed API and Terraform examples for Cloudflare Zero Trust are available in our [implementation guides](/cloudflare-one/implementation-guides/) and throughout the Cloudflare Zero Trust documentation.
+
+## Set dashboard to read-only
+
+Super Administrators can lock all settings as read-only in the Cloudflare One dashboard. Read-only mode ensures that all updates for the account are made through the API or Terraform.
+
+To enable read-only mode:
+
+1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Settings** > **Admin controls**.
+2. Enable **Set dashboard to read-only**.
+
+All users, regardless of [user permissions](/cloudflare-one/roles-permissions/), will be prevented from making configuration changes through the UI.
+
+## Scoped API tokens
+
+The administrators managing policies and groups in Cloudflare Zero Trust might be different from those responsible for configuring WAF custom rules or other Cloudflare settings. You can configure scoped API tokens so that team members and automated systems can manage Cloudflare Zero Trust settings without having permission to modify other configurations in Cloudflare.
+
+You can create a scoped API token [via the dashboard](/fundamentals/api/get-started/create-token/) or [via the API](/fundamentals/api/how-to/create-via-api/). For a list of available token permissions, refer to [API token permissions](/fundamentals/api/reference/permissions/).
diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/access-group.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/access-group.mdx
deleted file mode 100644
index a4403867650f562..000000000000000
--- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/access-group.mdx
+++ /dev/null
@@ -1,17 +0,0 @@
----
-
-summary: Use a pre-existing rule group.
-title: Rule group
-pcx_content_type: example
-sidebar:
-  order: 4
-description: Use a pre-existing rule group.
----
-
-```json
-{
-	"group": {
-		"id": "aa0a4aab-672b-4bdb-bc33-a59f1130a11f"
-	}
-}
-```
diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/any-service-token.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/any-service-token.mdx
deleted file mode 100644
index 745ad9972fca182..000000000000000
--- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/any-service-token.mdx
+++ /dev/null
@@ -1,19 +0,0 @@
----
-
-summary: The request will need to present the headers for any service token
-  created for this account.
-title: Any valid service token
-pcx_content_type: example
-sidebar:
-  order: 4
-description: The request will need to present the headers for any service token
-  created for this account.
----
-
-The request will need to present the headers for any service token created for this account
-
-```json
-{
-	"any_valid_service_token": {}
-}
-```
diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/authentication-method.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/authentication-method.mdx
deleted file mode 100644
index c41c253917b5887..000000000000000
--- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/authentication-method.mdx
+++ /dev/null
@@ -1,17 +0,0 @@
----
-
-summary: Allow access based on the "amr" identifier.
-title: Authentication method
-pcx_content_type: example
-sidebar:
-  order: 4
-description: Allow access based on the "amr" identifier.
----
-
-```json
-{
-	"auth_method": {
-		"auth_method": "hwk"
-	}
-}
-```
diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/common-name.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/common-name.mdx
deleted file mode 100644
index 0dfc1b85d79c8f0..000000000000000
--- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/common-name.mdx
+++ /dev/null
@@ -1,19 +0,0 @@
----
-
-summary: The request will need to present a valid certificate with an expected
-  common name.
-title: Common name
-pcx_content_type: example
-sidebar:
-  order: 4
-description: The request will need to present a valid certificate with an
-  expected common name.
----
-
-```json
-{
-	"common_name": {
-		"common_name": "james@example.com"
-	}
-}
-```
diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/country-code.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/country-code.mdx
deleted file mode 100644
index 3e021ea3b0d8922..000000000000000
--- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/country-code.mdx
+++ /dev/null
@@ -1,17 +0,0 @@
----
-
-summary: Allow a specific country.
-title: Country Code
-pcx_content_type: example
-sidebar:
-  order: 4
-description: Allow a specific country.
----
-
-```json
-{
-	"geo": {
-		"country_code": "US"
-	}
-}
-```
diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/email-domain.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/email-domain.mdx
deleted file mode 100644
index 0bb899838f09a18..000000000000000
--- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/email-domain.mdx
+++ /dev/null
@@ -1,17 +0,0 @@
----
-
-summary: Allow an entire email domain.
-title: Email domain
-pcx_content_type: example
-sidebar:
-  order: 4
-description: Allow an entire email domain.
----
-
-```json
-{
-	"email_domain": {
-		"domain": "cloudflare.com"
-	}
-}
-```
diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/email.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/email.mdx
deleted file mode 100644
index 1e69990edb885aa..000000000000000
--- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/email.mdx
+++ /dev/null
@@ -1,17 +0,0 @@
----
-
-summary: Allow a specific email address.
-title: Email
-pcx_content_type: example
-sidebar:
-  order: 4
-description: Allow a specific email address.
----
-
-```json
-{
-	"email": {
-		"email": "james@example.com"
-	}
-}
-```
diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/entra-group.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/entra-group.mdx
deleted file mode 100644
index c43686f03393458..000000000000000
--- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/entra-group.mdx
+++ /dev/null
@@ -1,20 +0,0 @@
----
-
-summary: Allow members of a Microsoft Entra group. The ID is the group UUID (`id`) in Microsoft Entra ID.
-title: Microsoft Entra Group
-pcx_content_type: example
-sidebar:
-  order: 4
-description: Allow members of a Microsoft Entra group. The ID is the group UUID (`id`) in Microsoft Entra ID.
----
-
-Allow members of a Microsoft Entra group. The ID is the group UUID (`id`) in Microsoft Entra ID:
-
-```json
-{
-	"azureAD": {
-		"id": "86773093-5feb-48dd-814b-7ccd3676ff50",
-		"identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761"
-	}
-}
-```
diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/everyone.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/everyone.mdx
deleted file mode 100644
index 802592919516183..000000000000000
--- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/everyone.mdx
+++ /dev/null
@@ -1,15 +0,0 @@
----
-
-summary: Allow anyone to log in.
-title: Everyone
-pcx_content_type: example
-sidebar:
-  order: 4
-description: Allow anyone to log in.
----
-
-```json
-{
-	"everyone": {}
-}
-```
diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/github-org.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/github-org.mdx
deleted file mode 100644
index 058087e9e304e4c..000000000000000
--- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/github-org.mdx
+++ /dev/null
@@ -1,18 +0,0 @@
----
-
-summary: Allow members of a specific GitHub organization.
-title: GitHub™ Organization
-pcx_content_type: example
-sidebar:
-  order: 4
-description: Allow members of a specific GitHub organization.
----
-
-```json
-{
-	"github-organization": {
-		"name": "cloudflare",
-		"identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761"
-	}
-}
-```
diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/gsuite-group.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/gsuite-group.mdx
deleted file mode 100644
index 37f6f5d90284287..000000000000000
--- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/gsuite-group.mdx
+++ /dev/null
@@ -1,18 +0,0 @@
----
-
-summary: Allow members of a specific G Suite group.
-title: G Suite Group
-pcx_content_type: example
-sidebar:
-  order: 4
-description: Allow members of a specific G Suite group.
----
-
-```json
-{
-	"gsuite": {
-		"email": "admins@mycompanygsuite.com",
-		"identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761"
-	}
-}
-```
diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/index.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/index.mdx
deleted file mode 100644
index 429e5f89c5ab06c..000000000000000
--- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/index.mdx
+++ /dev/null
@@ -1,39 +0,0 @@
----
-pcx_content_type: example
-title: Access API examples
-sidebar:
-  order: 1
----
-
-import { ResourcesBySelector } from "~/components";
-
-You can use the Cloudflare Access API to create policies, including individual rule blocks inside of group or policy bodies. For example, this policy allows all Cloudflare email account users to reach the application with the exception of one account:
-
-```json
-{
-	"name": "allow cloudflare employees",
-	"decision": "allow",
-	"include": [
-		{
-			"email_domain": {
-				"domain": "cloudflare.com"
-			}
-		}
-	],
-	"exclude": [
-		{
-			"email": {
-				"email": "notthisperson@cloudflare.com"
-			}
-		}
-	],
-	"require": []
-}
-```
-
-## Example rule configurations
-
-<ResourcesBySelector
-	directory="cloudflare-one/api-terraform/access-api-examples"
-	types={["example"]}
-/>
diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/ip-range.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/ip-range.mdx
deleted file mode 100644
index 24bbf41c44edfc2..000000000000000
--- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/ip-range.mdx
+++ /dev/null
@@ -1,17 +0,0 @@
----
-
-summary: Allow an IP range.
-title: IP range
-pcx_content_type: example
-sidebar:
-  order: 4
-description: Allow an IP range.
----
-
-```json
-{
-	"ip": {
-		"ip": "127.0.0.1/32"
-	}
-}
-```
diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/mtls-certificate.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/mtls-certificate.mdx
deleted file mode 100644
index c9b3c84b3bdeb26..000000000000000
--- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/mtls-certificate.mdx
+++ /dev/null
@@ -1,15 +0,0 @@
----
-
-summary: The request will need to present a valid certificate.
-title: mTLS certificate
-pcx_content_type: example
-sidebar:
-  order: 4
-description: The request will need to present a valid certificate.
----
-
-```json
-{
-	"certificate": {}
-}
-```
diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/okta-group.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/okta-group.mdx
deleted file mode 100644
index 0f12ba08b932d2d..000000000000000
--- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/okta-group.mdx
+++ /dev/null
@@ -1,18 +0,0 @@
----
-
-summary: Allow members of an Okta Group.
-title: Okta Group
-pcx_content_type: example
-sidebar:
-  order: 4
-description: Allow members of an Okta Group.
----
-
-```json
-{
-	"okta": {
-		"name": "admins",
-		"identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761"
-	}
-}
-```
diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/saml-attribute.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/saml-attribute.mdx
deleted file mode 100644
index fbfbc6459b13ff4..000000000000000
--- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/saml-attribute.mdx
+++ /dev/null
@@ -1,19 +0,0 @@
----
-
-summary: Allow users with specific SAML attributes.
-title: SAML Attribute
-pcx_content_type: example
-sidebar:
-  order: 4
-description: Allow users with specific SAML attributes.
----
-
-```json
-{
-	"saml": {
-		"attribute_name": "group",
-		"attribute_value": "admins",
-		"identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761"
-	}
-}
-```
diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/service-token.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/service-token.mdx
deleted file mode 100644
index 03c982de3a6a0ba..000000000000000
--- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/service-token.mdx
+++ /dev/null
@@ -1,17 +0,0 @@
----
-
-summary: The request will need to present the correct service token headers.
-title: Service token
-pcx_content_type: example
-sidebar:
-  order: 4
-description: The request will need to present the correct service token headers.
----
-
-```json
-{
-	"service_token": {
-		"token_id": "e9808c3a-705c-4afc-a507-6e4b083ff399"
-	}
-}
-```
diff --git a/src/content/docs/cloudflare-one/api-terraform/access-with-terraform.mdx b/src/content/docs/cloudflare-one/api-terraform/access-with-terraform.mdx
deleted file mode 100644
index efd0652917016ee..000000000000000
--- a/src/content/docs/cloudflare-one/api-terraform/access-with-terraform.mdx
+++ /dev/null
@@ -1,204 +0,0 @@
----
-pcx_content_type: how-to
-title: Terraform
-sidebar:
-  order: 4
-head:
-  - tag: title
-    content: Access policies with Terraform
----
-
-| Requirements                                                                                                                             |
-| ---------------------------------------------------------------------------------------------------------------------------------------- |
-| [Terraform](https://developer.hashicorp.com/terraform/tutorials/certification-associate-tutorials/install-cli) installed on your machine |
-| The [Cloudflare provider](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs) properly configured                 |
-
-[Terraform](https://developer.hashicorp.com/terraform/tutorials/certification-associate-tutorials/install-cli) is a tool for building, changing, and versioning infrastructure, and provides components and documentation for building [Cloudflare resources](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs). Listed below are examples to help you get started with building Access with Terraform. For a more generalized guide on configuring Cloudflare and Terraform, visit our [Getting Started with Terraform and Cloudflare](https://blog.cloudflare.com/getting-started-with-terraform-and-cloudflare-part-1/) blog post.
-
-## Create an application with Terraform
-
-1. Create an application.
-
-   Here is an example configuration:
-
-   ```tf
-   variable "domain" {
-     default = "example.com"
-   }
-
-   variable "zone_id" {
-     default = <CLOUDFLARE_ZONE_ID>
-   }
-
-   resource "cloudflare_access_application" "cf_app" {
-     zone_id          = var.zone_id
-     name             = "My Example App"
-     domain           = var.domain
-     session_duration = "24h"
-   }
-   ```
-
-2. Next, we need to export our environment variables and secrets:
-
-   ```sh
-   export CLOUDFLARE_EMAIL=<CLOUDFLARE_EMAIL>
-   export CLOUDFLARE_API_KEY=<CLOUDFLARE_API_KEY>
-   ```
-
-3. Now we can run a `terraform plan` which will output any proposed changes. Make sure to review the plan carefully:
-
-   ```sh
-   terraform plan
-   ```
-
-   ```sh output
-   Refreshing Terraform state in-memory prior to plan...
-   The refreshed state will be used to calculate this plan, but will not be
-   persisted to local or remote state storage.
-
-   ------------------------------------------------------------------------
-
-   An execution plan has been generated and is shown below.
-   Resource actions are indicated with the following symbols:
-   	+ create
-
-   Terraform will perform the following actions:
-
-   	# cloudflare_access_application.cf_app will be created
-   	+ resource "cloudflare_access_application" "cf_app" {
-   			+ aud              = (known after apply)
-   			+ domain           = "example.com"
-   			+ id               = (known after apply)
-   			+ name             = "My Example App"
-   			+ session_duration = "24h"
-   			+ zone_id          = "1ce82492016e71df631bf4af9c02587f"
-   		}
-
-   Plan: 1 to add, 0 to change, 0 to destroy.
-
-   ------------------------------------------------------------------------
-
-   Note: You didn't specify an "-out" parameter to save this plan, so Terraform
-   can't guarantee that exactly these actions will be performed if
-   "terraform apply" is subsequently run.
-   ```
-
-4. Apply these changes using the `apply` command, once they look accurate and you're comfortable moving forward:
-
-   ```sh
-   terraform apply --auto-approve
-   ```
-
-   ```sh output
-   cloudflare_access_application.cf_app: Creating...
-   cloudflare_access_application.cf_app: Creation complete after 2s [id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx]
-
-   Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
-   ```
-
-## Create a policy
-
-After you've created an application, you can start creating policies and attaching them to applications:
-
-```tf
-   resource "cloudflare_access_policy" "cf_policy" {
-     application_id = cloudflare_access_application.cf_app.id
-     zone_id        = var.zone_id
-     name           = "Example Policy"
-     precedence     = "1"
-     decision       = "allow"
-
-     include {
-       email = ["test@example.com"]
-     }
-   }
-```
-
-To do so:
-
-1. Run a `terraform plan`:
-
-   ```sh
-   terraform plan
-   ```
-
-   ```sh output
-
-   Refreshing Terraform state in-memory prior to plan...
-   The refreshed state will be used to calculate this plan, but will not be
-   persisted to local or remote state storage.
-
-   cloudflare_access_application.cf_app: Refreshing state... [id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx]
-
-   ------------------------------------------------------------------------
-
-   An execution plan has been generated and is shown below.
-   Resource actions are indicated with the following symbols:
-    + create
-
-   Terraform will perform the following actions:
-
-    # cloudflare_access_policy.cf_policy will be created
-    + resource "cloudflare_access_policy" "cf_policy" {
-        + application_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
-        + decision       = "allow"
-        + id             = (known after apply)
-        + name           = "My Example Policy"
-        + precedence     = 1
-        + zone_id        = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-
-        + include {
-            + email = [
-                + "test@example.com",
-              ]
-          }
-      }
-
-   Plan: 1 to add, 0 to change, 0 to destroy.
-
-   ------------------------------------------------------------------------
-
-   Note: You didn't specify an "-out" parameter to save this plan, so Terraform
-   can't guarantee that exactly these actions will be performed if
-   "terraform apply" is subsequently run.
-   ```
-
-2. Next, apply these changes using the `apply` command, once they look accurate and you're comfortable moving forward:
-
-   ```sh
-   terraform apply --auto-approve
-   ```
-
-### Configuring an identity provider
-
-The example below shows how you can configure an identity provider and attach it to a policy:
-
-```tf
-resource "cloudflare_access_identity_provider" "github_oauth" {
-  account_id = <CLOUDFLARE_ACCOUNT_ID>
-  name       = "GitHub OAuth"
-  type       = "github"
-  config {
-    client_id     = <GITHUB_CLIENT_ID>
-    client_secret = <GITHUB_CLIENT_SECRET>
-  }
-}
-
-resource "cloudflare_access_policy" "cf_policy" {
-  application_id = cloudflare_access_application.cf_app.id
-  zone_id        = var.zone_id
-  name           = "My Example Policy"
-  precedence     = "1"
-  decision       = "allow"
-
-  include {
-    email = ["test@example.com"]
-    github {
-      name                 = "My GitHub Org"
-      identity_provider_id = cloudflare_access_identity_provider.github_oauth.id
-    }
-  }
-}
-```
-
-These are the basics to get up and running with Access and Terraform. Refer to our [API documentation](/api/) for other endpoints that can be managed via Terraform.
diff --git a/src/content/docs/cloudflare-one/api-terraform/index.mdx b/src/content/docs/cloudflare-one/api-terraform/index.mdx
deleted file mode 100644
index a396e8262c53406..000000000000000
--- a/src/content/docs/cloudflare-one/api-terraform/index.mdx
+++ /dev/null
@@ -1,29 +0,0 @@
----
-pcx_content_type: navigation
-title: API and Terraform
-sidebar:
-  order: 15
----
-
-import { DirectoryListing, Render } from "~/components";
-
-This section covers a few common use cases with the API and Terraform to manage Cloudflare One. For more information, refer to our [API documentation](/api/) and [Terraform reference guide](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs).
-
-<DirectoryListing />
-
-## Set dashboard to read-only
-
-Super Administrators can lock all settings as read-only in Cloudflare One. Read-only mode ensures that all updates for the account are made through the API or Terraform.
-
-To enable read-only mode:
-
-1. In [Cloudflare One](https://one.dash.cloudflare.com/), go to **Settings** > **Admin controls**.
-2. Enable **Set dashboard to read-only**.
-
-All users, regardless of [user permissions](/cloudflare-one/roles-permissions/), will be prevented from making configuration changes through the UI.
-
-## Scoped API tokens
-
-The administrators managing policies and groups in Cloudflare One might be different from those responsible for configuring WAF custom rules or other Cloudflare settings. You can configure scoped API tokens so that team members and automated systems can manage Cloudflare One settings without having permission to modify other configurations in Cloudflare.
-
-You can create a scoped API token [via the dashboard](/fundamentals/api/get-started/create-token/) or [via the API](/fundamentals/api/how-to/create-via-api/). For a list of available token permissions, refer to [API token permissions](/fundamentals/api/reference/permissions/).
diff --git a/src/content/docs/cloudflare-one/reference-architecture.mdx b/src/content/docs/cloudflare-one/reference-architecture.mdx
index 1d9f0658143d8ff..41179ea9a3cd9e8 100644
--- a/src/content/docs/cloudflare-one/reference-architecture.mdx
+++ b/src/content/docs/cloudflare-one/reference-architecture.mdx
@@ -3,6 +3,6 @@ pcx_content_type: navigation
 title: Reference architecture
 external_link: /reference-architecture/architectures/sase/
 sidebar:
-  order: 12
+  order: 13
 
 ---
diff --git a/src/content/docs/cloudflare-one/remote-browser-isolation/index.mdx b/src/content/docs/cloudflare-one/remote-browser-isolation/index.mdx
index 00480d707409496..35e76bcfff30f79 100644
--- a/src/content/docs/cloudflare-one/remote-browser-isolation/index.mdx
+++ b/src/content/docs/cloudflare-one/remote-browser-isolation/index.mdx
@@ -2,7 +2,7 @@
 pcx_content_type: concept
 title: Remote browser isolation
 sidebar:
-  order: 13
+  order: 12
 ---
 
 import { Render } from "~/components";
diff --git a/src/content/docs/cloudflare-one/tutorials/index.mdx b/src/content/docs/cloudflare-one/tutorials/index.mdx
index 3d7ded06fe5d6ad..db6dfa452552bce 100644
--- a/src/content/docs/cloudflare-one/tutorials/index.mdx
+++ b/src/content/docs/cloudflare-one/tutorials/index.mdx
@@ -6,7 +6,7 @@ title: Tutorials
 column_text: Category
 column_param: category
 sidebar:
-  order: 12
+  order: 13
 head: []
 tableOfContents: false
 description: View tutorials for Cloudflare Zero Trust.
diff --git a/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx b/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx
index 93813333377509a..09a1dc3628da920 100644
--- a/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx
+++ b/src/content/docs/reference-architecture/design-guides/zero-trust-for-startups.mdx
@@ -416,7 +416,7 @@ As you continue to evaluate vendor partners for Zero Trust or general security i
 
 Cloudflare is very passionate about Zero Trust security in the context of DevSecOps. We build API-first as a primary ethos for all our products, and make all relevant API endpoints available to customers on the first day of feature availability, along with our extensive [documentation](https://developers.cloudflare.com/api/).
 
-Separately, many of our customers manage their Cloudflare Zero Trust deployment without ever touching our dashboard; instead, they use Terraform or similar tools for their entire management plane. If this is the case for you, we have a comprehensive and complete [Terraform](/cloudflare-one/api-terraform/access-with-terraform/) provider to enable you to accomplish Zero Trust as Code.
+Separately, many of our customers manage their Cloudflare Zero Trust deployment without ever touching our dashboard; instead, they use Terraform or similar tools for their entire management plane. If this is the case for you, we have a comprehensive and complete [Terraform provider](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs) to enable you to accomplish Zero Trust as Code.
 
 ## Summary