aiven · staceysalamon-aiven · Dec 11, 2024 · Dec 19, 2024 · Dec 19, 2024
diff --git a/docs/platform/concepts/application-users.md b/docs/platform/concepts/application-users.md
@@ -38,6 +38,15 @@ the description field for each user to clearly indicate what it's used for.
 This helps you manage the lifecycle of the users and ensure the access permissions are
 correct for each use case.
 
+### Restrict access to trusted networks
+
+Specify allowed IP address ranges for each token. This prevents tokens from being used
+outside of your trusted networks, reducing the risk of breaches. You can also specify
+these ranges in your organization's
+[authentication policy](/docs/platform/howto/set-authentication-policies), limiting
+all access to the Aiven Platform to these IP addresses, including
+through application tokens.
+
 ### Keep tokens secure and rotate them regularly
 
 Make sure tokens are securely stored and only accessible by people who need them. Tokens

@@ -7,11 +7,11 @@ There are 3 types of tokens used to access the Aiven platform: session tokens, p
 Session tokens are created when you log in or make an API call. These tokens are revoked
 when you log out of the Aiven Console or the CLI.
 
-You can create personal tokens to access resources instead of using your password.
+You can [create personal tokens](/docs/platform/howto/create_authentication_token) to access resources instead of using your password.
 Application tokens are linked to
 [application users](/docs/platform/concepts/application-users). Application users and
 tokens are a more secure option for non-human users like external applications. You can
-create multiple personal or application tokens for different use cases or applications.
+create multiple personal or application tokens for different use cases.
 
 
 ## Token limits
@@ -26,10 +26,13 @@ This is especially useful for automation that creates tokens.
 
 ## Token security
 
-To keep your personal tokens secure:
+To keep your personal and application tokens secure:
 
 - Set a session duration to limit the impact of exposure
 - Refrain from letting users share tokens
 - Rotation your tokens regularly
+- Restrict usage from trusted networks by specifying an allowed IP address range
 - Use application users for non-human users and follow
   [security best practices](/docs/platform/concepts/application-users) for their tokens
+- Control access to your organzation's resources with the
+  [authentication policy](/docs/platform/howto/set-authentication-policies)
@@ -4,7 +4,7 @@ title: Set authentication policies for organization users
 
 import ConsoleLabel from "@site/src/components/ConsoleIcons"
 
-The authentication policy for your organization specifies the ways that users in your organization and their personal tokens can access the organization on the Aiven platform.
+The authentication policy for your organization specifies the ways that users in your organization can access the organization on the Aiven Platform.
 
 ## Authentication types
 
@@ -20,7 +20,7 @@ two-factor authentication (2FA) for password logins for all users in
 your organization.
 
 When 2FA is required, users can't access any resources in your organization until they
-set up 2FA. This only applies to logins using email and password. The Aiven platform
+set up 2FA. This only applies to logins using email and password. The Aiven Platform
 cannot enforce 2FA for logins through third-party providers, including identity providers.
 
 :::note
@@ -54,7 +54,7 @@ personal tokens. Non-managed users can still create personal tokens, but they ca
 them to access the organization's resources.
 
 To regularly manage your resources programmatically with the Aiven API, CLI,
-Terraform Provider, or other applications, it's best to create an
+Terraform Provider, or other tools, it's best to create an
 [application user](/docs/platform/howto/manage-application-users) with its own tokens.
 
 Personal tokens are generated with the authentication method that the user logged in with.
@@ -72,6 +72,13 @@ provider, then the token generated when the user was logged in with their passwo
 not work. After logging in with an allowed method on the new authentication policy
 the user can create a token.
 
+### Access from allowed IP addresses
+
+You can restrict users to accessing the Aiven Platform from specific IP address ranges
+to ensure they are coming from trusted networks. This helps you minimize exposure, reduce
+the risk of breaches, and comply with policies and regulations. This also applies to
+access through personal and application tokens.
+
 ## Set an authentication policy
 
 1.  In the organization, click **Admin**.