Kong · Guaris · Apr 17, 2026 · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026
@@ -87,8 +87,7 @@ For example, list all Dev Portals in your organization:
 kongctl get portals
 ```
 
-If you are using a new account, you should see an empty response, otherwise the Dev Portals you have access to
-will be displayed. 
+If you are using a new account, you should see an empty response, otherwise {{site.konnect_short_name}} displays the Dev Portals you have access to.
 
 kongctl commands support different output formats, including `json`, `yaml`, or `text`. The same `get` command will output the data in `json` format if you run the following:
 

@@ -61,7 +61,7 @@ prereqs:
         on your development machine to run the web app.
     - title: Operating system compatibility
       content: |
-        These instructions are specific to *nix style operating systems. For MS Windows, the user will need to 
+        These instructions are specific to *nix style operating systems. For MS Windows, you will need to 
         make adjustments to commands and instructions.
 
 automated_tests: false
@@ -83,7 +83,7 @@ Create (if necessary) a new {{site.konnect_short_name}} Organization and [sign i
 ## Authorize the {{site.konnect_short_name}} Orchestrator to {{site.konnect_short_name}}
 
 The {{site.konnect_short_name}} Orchestrator (aka "orchestrator" or `koctl`) provides commands you can use to 
-setup the reference platform in your own engineering environment. `koctl` is also ran within the [APIOps workflows](/konnect-reference-platform/apiops)
+setup the reference platform in your own engineering environment. `koctl` also runs within the [APIOps workflows](/konnect-reference-platform/apiops)
 and creates and manages resource configurations within your {{site.konnect_short_name}} Organization via APIs. 
 In order to authorize the tool, use the following steps to create a system account with 
 [Organization Admin](/konnect-platform/teams-and-roles/#predefined-teams) permissions:
@@ -114,7 +114,7 @@ The orchestrator requires specific access to the `platform` repository in order
 In order to authorize the orchestrator, you need to create a GitHub access token with the proper permissions.
 
 1. From the GitHub web console, navigate to your profile menu, then _Settings -> Developer Settings -> Personal access tokens_
-1. Create a new _Fine-grained token_ and give the token a name that indicates it's relationship to the orchestrator (e.g. `platform-konnect-orchestrator`)
+1. Create a new _Fine-grained token_ and give the token a name that indicates its relationship to the orchestrator (e.g. `platform-konnect-orchestrator`)
 1. Select the GitHub organization that owns the `platform` repository you created in the previous step and set appropriate token expiration
 1. Under _Repository access_, choose _Only select repositories_ and choose the `platform` repository.
 1. Under _Repository permissions_, select all of the following permissions:
@@ -188,7 +188,7 @@ including a link directly to the PR. The PR will have the following title: `[Kon
 
 Open the PR in the GitHub web console and review the changes. Once satisfied with the changes, merge the PR into the `main` branch of the repository.
 
-You have now added your {{site.konnect_short_name}} to the `platform` repository and the APIOps workflows will initiate
+You have now added your {{site.konnect_short_name}} Organization to the `platform` repository and the APIOps workflows will initiate
 the necessary steps to prepare your {{site.konnect_short_name}} Organization for use with the reference platform.
 
 ## Create a {{site.konnect_short_name}} Orchestrator GitHub OAuth application 

@@ -51,7 +51,7 @@ prereqs:
         1. On the Webhook Destination tab, click **New Webhook**.
         1. In the **Name** field, enter `SumoLogic`.
         1. In the **Endpoint** field, enter your external endpoint that will receive audit log messages. For example: `https://endpoint4.collection.sumologic.com/receiver/v1/http/1234abcd`.
-        1. In the **Authorization Header** field, enter the access token from you SIEM. 
+        1. In the **Authorization Header** field, enter the access token from your SIEM. 
            {{site.konnect_short_name}} will send this string in the `Authorization` header of requests to that endpoint.
         1. From the **Log Format** dropdown menu, select "cef".
         1. (Optional) Click **Disable SSL Verification** to disable SSL verification of the host endpoint when delivering payloads.
@@ -60,7 +60,7 @@ prereqs:
            > We only recommend disabling SSL verification when using self-signed SSL certificates in a non-production environment as this can subject you to man-in-the-middle and other attacks.
         1. Click the **Konnect** tab.
         1. Navigate to the region you want to configure the webhook for.
-        1. Click **Disabled**.
+        1. Click **Disabled** to enable log delivery for this region.
         1. From the **Endpoint** dropdown menu, select your SIEM endpoint.
         1. Click **Save**.
 
@@ -74,7 +74,7 @@ prereqs:
         {% endkonnect_api_request %}
         <!--vale on-->
 
-        This triggers a log in SumoLogic. Sometimes it can take a minute to populate the logs.
+        This triggers a log in SumoLogic. Logs may take up to one minute to appear.
 
 cleanup:
   inline:

@@ -59,7 +59,7 @@ faqs:
 
       If you have registered data plane nodes, they won't be
       stopped by {{site.konnect_short_name}}. They will no longer proxy data, but the
-      nodes will keep running until manually stop them.
+      nodes will keep running until you manually stop them.
   - q: How do I deactivate or reactivate an org?
     a: |
       Contact Kong Support by navigating to the **?** icon on the top right menu and clicking **Create support case** or from the [Kong Support portal](https://support.konghq.com) to do any of the following:
@@ -104,7 +104,7 @@ faqs:
 
 {{site.konnect_short_name}} offers [two plans](https://konghq.com/pricing).
 
-* **{{site.konnect_short_name}} Plus**: {{site.konnect_short_name}} Plus is the simplest way to get started with {{site.konnect_short_name}}, allowing you to only pay for the services you consume. New accounts are automatically given a month of free credits as part of 30-day trial. You can claim your Konnect Plus credits by [signing up](https://konghq.com/products/kong-konnect/register).
+* **{{site.konnect_short_name}} Plus**: {{site.konnect_short_name}} Plus is the simplest way to get started with {{site.konnect_short_name}}, allowing you to only pay for the services you consume. New accounts are automatically given a month of free credits as part of a 30-day trial. You can claim your {{site.konnect_short_name}} Plus credits by [signing up](https://konghq.com/products/kong-konnect/register).
 * **{{site.konnect_short_name}} Enterprise**: {{site.konnect_short_name}} Enterprise is our contract-based option that includes 24x7x365 support and professional services access to help you build and maintain your own custom environment. Learn more about enterprise on our [pricing page](https://konghq.com/pricing).
 
 

@@ -95,7 +95,7 @@ rows:
 {% endtable %}
 <!--vale on-->
 
-{{site.konnect_short_name}} retains audit logs for 7 days. After the 7 days, they are permanently deleted and can't be recovered.
+{{site.konnect_short_name}} retains audit logs for 7 days. After 7 days, {{site.konnect_short_name}} permanently deletes them and you cannot recover them.
 
 {:.info}
 > Dev Portal audit logs don't collect authorization and access events by design. You can view Dev Portal entity creation, edits, and approved state changes from the {{site.konnect_short_name}} audit logs. 

@@ -63,7 +63,7 @@ To configure CMEK, you need:
 
 1. Provision a new multi-region symmetric key in your AWS account using "Key Managed Service (KMS)". They key should be in the AWS region you intend to use in {{site.konnect_short_name}}. A multi-region key is recommended to replicate the key in multiple regions, which can be used for disaster recovery or compliance purposes. 
 
-1. Ensure the following access policy statement is included in your key policy to allow `cc-konnect` role ({{site.konnect_short_name}}) to use your key:
+1. Add the following access policy statement to your key policy to allow the `cc-konnect` role ({{site.konnect_short_name}}) to use your key:
 ```json
 {
   "Effect": "Allow",
@@ -98,7 +98,7 @@ When you configure CMEK, you are responsible for the following:
 
 * **Key rotation**: 
   * AWS KMS takes care of key rotation automatically. 
-  * Manual rotation with a new ARN requires updating the key in {{site.konnect_short_name}}. If the key's ARN changes, data encrypted with the previous key cannot be decrypted in {{site.konnect_short_name}}.
+  * Manual rotation with a new ARN requires updating the key in {{site.konnect_short_name}}. If the key's ARN changes, {{site.konnect_short_name}} cannot decrypt data encrypted with the previous key.
 * **Key revocation**: 
   * Revoking or deleting your key in AWS KMS renders associated data permanently unreadable.
 * **Performance impact**: 
@@ -118,7 +118,7 @@ See the following sections for information about how to manage CMEK keys.
 
 * Rotating keys within AWS KMS (without changing the ARN) is supported automatically.
 * If you change the ARN, you must update the key in {{site.konnect_short_name}} manually. 
-  * Data encrypted with the previous key cannot be decrypted and will be lost.
+  * {{site.konnect_short_name}} cannot decrypt data encrypted with the previous key, and that data will be lost.
 
 ### Key revocation
 

@@ -30,14 +30,14 @@ faqs:
   - q: Are the {{site.konnect_short_name}} Control Plane and associated database migrations or upgrades done by Kong Inc.?
     a: The {{site.base_gateway}} Control Plane and its dependencies are fully managed by {{site.konnect_short_name}}. As new versions of {{site.base_gateway}} are released, {{site.konnect_short_name}} supports them as long as they are under our [active support schedule](/gateway/version-support-policy/).
   - q: Will {{site.konnect_short_name}} Control Plane upgrades always show incompatible messages on the API Gateway page in {{site.konnect_short_name}} if the Data Plane nodes are not the same version as the {{site.konnect_short_name}} Control Plane?
-    a: An old configuration may still be 100% compatible with older Data Plane nodes and therefore not show any error messages in the {{site.konnect_short_name}} UI. If there are compatibility issues detected when pushing the payload down to the Data Plane, then this will be reflected in the UI.
+    a: An old configuration may still be 100% compatible with older Data Plane nodes and therefore not show any error messages in the {{site.konnect_short_name}} UI. If {{site.konnect_short_name}} detects compatibility issues when pushing the payload to the Data Plane, the UI displays them.
   - q: Will new features be available if the {{site.konnect_short_name}} Control Plane detects incompatible Data Plane nodes?
     a: |
-      New features will not be available for use or consumption on incompatible Data Plane nodes. You will see new features available in the {{site.konnect_short_name}} UI regardless of the Data Plane that is connected to the Control Plane in {{site.konnect_short_name}}. However, when an update payload is pushed to an incompatible Data Plane, the update will be automatically rejected by the Data Plane. 
+      New features will not be available for use or consumption on incompatible Data Plane nodes. You will see new features available in the {{site.konnect_short_name}} UI regardless of the Data Plane that is connected to the Control Plane in {{site.konnect_short_name}}. However, when the Control Plane pushes an update payload to an incompatible Data Plane, the Data Plane automatically rejects the update.
 
-      This is managed by a version compatibility layer that checks the payload before the update gets sent to the Data Plane. If there are concerns with the payload, metadata is added to the node. That metadata is what will display incompatibility warnings or errors in the {{site.konnect_short_name}} UI. 
+      A version compatibility layer checks the payload before the Control Plane sends the update to the Data Plane. If the compatibility layer finds concerns with the payload, it adds metadata to the node. {{site.konnect_short_name}} uses that metadata to display incompatibility warnings or errors in the UI.
 
-      For example, let's say a parameter is introduced with a new version of a plugin and is available in the {{site.konnect_short_name}} UI. The Data Plane, however, is running an older version of {{site.base_gateway}} and doesn't support the new parameter. If that parameter isn't configured, or is assigned the default value, then no warning or incompatibility metadata will be applied to the node in {{site.konnect_short_name}}, and no warnings or errors will appear.
+      For example, let's say a parameter is introduced with a new version of a plugin and is available in the {{site.konnect_short_name}} UI. The Data Plane, however, is running an older version of {{site.base_gateway}} and doesn't support the new parameter. If that parameter isn't configured, or is assigned the default value, then {{site.konnect_short_name}} adds no warning or incompatibility metadata to the node, and no warnings or errors appear.
   - q: Can I continue to use older versions of configurations as the {{site.konnect_short_name}} Control Plane auto-upgrades?
     a: Yes. All decK dumps, or YAML configurations, will continue to work in {{site.konnect_short_name}} after they are synced.
   - q: Are there any disruptions if I choose not to upgrade my Data Plane nodes?

@@ -25,7 +25,7 @@ related_resources:
 
 {{site.konnect_short_name}} allows you to host and operate your cloud instance in a geographic region that you specify. This is important for data privacy and regulatory compliance for you organization. 
 
-Geographic regions allow you to also operate {{site.konnect_short_name}} in a similar geo to your users and their infrastructure applications. 
+Geographic regions allow you to operate {{site.konnect_short_name}} in the same region as your users and their infrastructure. 
 <!--- Do not publish yet: "This reduces network latency and minimizes the blast-radius in the event of cross-region connectivity failures." -->
 
 ## Geo-specific objects

@@ -26,7 +26,7 @@ related_resources:
 
 Changelog for KAi.
 
-## Week of 2026-01-xx
+## Week of 2026-01-01
 
 * Beta trial is available for Enterprise accounts in [{{site.konnect_short_name}} Labs](https://cloud.konghq.com/global/organization/labs).
 

@@ -46,4 +46,4 @@ Each label must follow these requirements:
 You can use labels separately on the Control Plane and Data Plane nodes:
 * On the Control Plane, you can set a label for `control plane` and for individual API products.
 * On Data Plane nodes, set labels through `kong.conf` or via environment variables using the [`cluster_dp_labels`](/gateway/configuration/#cluster-dp-labels) property.
-These labels are exposed through the [`/nodes`](/api/konnect/control-planes-config/#/operations/list-dataplane-nodes) endpoint of the {{site.konnect_short_name}} API.
+The {{site.konnect_short_name}} API exposes these labels through the [`/nodes`](/api/konnect/control-planes-config/#/operations/list-dataplane-nodes) endpoint.
@@ -46,13 +46,13 @@ faqs:
       When a Data Plane node receives new configuration from the Control Plane, it immediately loads it into memory and also caches it to disk.
       The cache location depends on the Gateway version:
 
-      * **2.x Gateway** – Configuration is stored in an unencrypted cache file, `config.json.gz`, located in the {{site.base_gateway}} prefix path.
-      * **3.x Gateway** – Configuration is stored in an unencrypted LMDB database directory, `dbless.lmdb`, also in the {{site.base_gateway}} prefix path.
+      * **2.x Gateway** – The Data Plane node stores the configuration in an unencrypted cache file, `config.json.gz`, in the {{site.base_gateway}} prefix path.
+      * **3.x Gateway** – The Data Plane node stores the configuration in an unencrypted LMDB database directory, `dbless.lmdb`, also in the {{site.base_gateway}} prefix path.
   - q: What happens if the Control Plane and Data Plane nodes disconnect?
     a: |
       Data plane nodes use the cached configuration until they can reconnect.
       Once reconnected, the Control Plane sends the latest configuration.
-      It does not queue or replay any older configuration changes.
+      The Control Plane does not queue or replay any older configuration changes.
   - q: Can I restart a Data Plane node if the Control Plane is down or disconnected?
     a: |
       Yes. Restarting a Data Plane node will load its cached configuration and resume normal function.
@@ -157,7 +157,7 @@ rows:
 
 ## Mesh hostnames in {{site.konnect_short_name}}
 
-If you use {{site.konnect_short_name}} to manage your service mesh, you must add the `{geo}.mesh.sync.konghq.com:443` hostname to your firewall allowlist. The geo can be `au`, `eu`, `us`, or `global`.
+If you use {{site.konnect_short_name}} to manage your service mesh, you must add the `{geo}.mesh.sync.konghq.com:443` hostname to your firewall allowlist. The geo can be `au`, `eu`, `me`, `in`, `sg`, `us`, or `global`.
 
 ## Specify IP addresses that can connect to {{site.konnect_short_name}}
 

@@ -21,7 +21,7 @@ related_resources:
     url: /api/konnect/ksearch/
 ---
 
-{{site.konnect_short_name}} Search allows to search across all {{site.konnect_short_name}} entities within an organization using simple keywords as well as precise query syntax.. 
+{{site.konnect_short_name}} Search allows to search across all {{site.konnect_short_name}} entities within an organization using keyword matching as well as advanced query syntax.
 You can access search using the search bar (_Command+K_ or _Control+K_) at the top of every page in {{site.konnect_short_name}} or using the [{{site.konnect_short_name}} Search API](/api/konnect/ksearch/).
 
 The {{site.konnect_short_name}} Search, by default, searches for both global and regional entities (with regional-awareness for the [currently selected region](/konnect-platform/geos/)). This ensures that returned entities are relevant to their geographical location. By default, every search performs:
@@ -65,7 +65,7 @@ In this example, the query syntax is made up of the following components:
 * Selectors: `type`, `label`, and `name`. They define what you are searching by. 
 * Entity type: `team`. These define what {{site.konnect_short_name}} entity you want to search for.
 * Logical operator: `AND NOT` and `AND`. These are used to combine multiple criteria in a query.
-* Wildcard: `*` to denote any a suffix match.
+* Wildcard: `*` to denote a suffix match.
 * Search values: `eng` and `_qa`. These are the values that the search service is matching for.
 
 ### Entity types