diff --git a/docs.json b/docs.json
index fa97afd..142bea3 100644
--- a/docs.json
+++ b/docs.json
@@ -151,6 +151,7 @@
                                 "group": "Advanced Configuration",
                                 "pages": [
                                     "self-host/advanced/config-file",
+                                    "self-host/advanced/private-config-file",
                                     "self-host/advanced/wild-card-domains",
                                     "self-host/advanced/cloudflare-proxy",
                                     "self-host/advanced/without-tunneling",
diff --git a/images/cf_websocket_box.png b/images/cf_websocket_box.png
new file mode 100644
index 0000000..8d8653b
Binary files /dev/null and b/images/cf_websocket_box.png differ
diff --git a/manage/identity-providers/add-an-idp.mdx b/manage/identity-providers/add-an-idp.mdx
index 7ca6a99..932fd5f 100644
--- a/manage/identity-providers/add-an-idp.mdx
+++ b/manage/identity-providers/add-an-idp.mdx
@@ -26,6 +26,24 @@ Here is an example using Microsoft Azure Entra ID as SSO for Pangolin:
   <img src="/images/create-idp.png" />
 </Frame>
 
+## Identity Provider Types
+
+### Organization Identity Providers
+
+Organization identity providers are configured per organization and only apply to that specific organization. Each org can have its own identity providers, allowing for authentication methods based on the organization's needs.
+
+<Note>
+	In Pangolin Enterprise you must enable `use_org_only_idp` in the [private config file](/self-host/advanced/private-config-file#param-use-org-only-idp) `privateConfig.yml`.
+</Note>
+
+### Global Identity Providers
+
+Global identity providers are managed at the server level and not the individual organization. They can apply to all or some organizations on the server. This means you must define policies per organization to map users to specific organizations and roles within those organizations. 
+
+<Tip>
+	Global identity providers are the only supported method in Pangolin Community.
+</Tip>
+
 ## Supported Identity Providers
 
 ### OAuth2/OIDC
@@ -40,7 +58,7 @@ This can be used to connect to any external identity provider that supports the
 ### Google
 
 <Note>
-Google IdP is only available in Pangolin Cloud.
+Google IdP is only available in Pangolin Cloud or Pangolin Enterprise with org identity providers. See above to enable.
 </Note>
 
 Easily set up Google Workspace authentication for your organization. Users can sign in with their Google accounts and access Pangolin resources using their existing Google credentials. Perfect for organizations already using Google Workspace for email, calendar, and other services.
@@ -48,7 +66,7 @@ Easily set up Google Workspace authentication for your organization. Users can s
 ### Azure Entra ID
 
 <Note>
-Azure Entra ID IdP is only available in Pangolin Cloud.
+Azure Entra ID IdP is only available in Pangolin Cloud or Pangolin Enterprise with org identity providers. See above to enable.
 </Note>
 
 Integrate with Microsoft's enterprise identity platform to allow users to authenticate using their Azure Active Directory accounts. Ideal for organizations using Microsoft 365 or other Azure services, providing seamless single sign-on across your Microsoft ecosystem.
@@ -56,7 +74,7 @@ Integrate with Microsoft's enterprise identity platform to allow users to authen
 ## How to Add an Identity Provider
 
 <Note>
-In the CE and EE, identity providers are created and managed via the Server Admin UI rather than the organization settings.
+When using global IDPs, identity providers are created and managed via the Server Admin UI rather than the organization settings.
 </Note>
 
 <Steps>
diff --git a/manage/identity-providers/auto-provisioning.mdx b/manage/identity-providers/auto-provisioning.mdx
index 5261a8a..46b0d6e 100644
--- a/manage/identity-providers/auto-provisioning.mdx
+++ b/manage/identity-providers/auto-provisioning.mdx
@@ -71,9 +71,7 @@ contains(groups, 'admin') && 'Admin' || 'Member'
 
 This example will return the string "Admin". If the user is not a member of the "admin" group, it will return "Member".
 
-## Community Edition
-
-In the Community Edition, identity providers are managed at the server level and not the individual organization. This means you must define policies per organization to map users to specific organizations and roles within those organizations. 
+## Global Identity Providers
 
 After you create an IdP, on the edit page, you can manage organization policies via the "Organization Policies" tab. You can set default (fallback) policies, or define them on a per org basis.
 
diff --git a/manage/identity-providers/azure.mdx b/manage/identity-providers/azure.mdx
index b6aa497..58d770c 100644
--- a/manage/identity-providers/azure.mdx
+++ b/manage/identity-providers/azure.mdx
@@ -3,6 +3,10 @@ title: "Azure Entra ID"
 description: "Configure Azure Entra ID Single Sign-On"
 ---
 
+<Note>
+Azure SSO is only available on Pangolin Cloud and Enterprise deployments. In enterprise, you must enable `use_org_only_idp` in your [private config file](/self-host/advanced/private-config-file) `privateConfig.yml`.
+</Note>
+
 The following steps will integrate Microsoft SSO using the built in Azure Entra ID identity provider in Pangolin.
 
 <iframe
@@ -58,6 +62,6 @@ In the OAuth2/OIDC Configuration, you'll need the following fields:
 
 When you're done, click "Create Identity Provider". Then, copy the Redirect URL in the "General" tab as you will now need this for your app registration.
 
-## Returning to Google Developers Console
+## Returning to Azure
 
-Lastly, you'll need to return to your app registration in order to add the redirect URI created by Pangolin. On the "Overview" tab, click "Add a Redirect URI". The click "Add a platform", and select "Web". Here, you can add the redirect URL from Pangolin and click "Configure". Your configuration should now be complete. You'll now need to add an external user to Pangolin, or if you have "Auto Provision Users" enabled, you can now log in using Google SSO.
+Lastly, you'll need to return to your app registration in order to add the redirect URI created by Pangolin. On the "Overview" tab, click "Add a Redirect URI". The click "Add a platform", and select "Web". Here, you can add the redirect URL from Pangolin and click "Configure". Your configuration should now be complete. You'll now need to add an external user to Pangolin, or if you have "Auto Provision Users" enabled, you can now log in using Azure SSO.
diff --git a/manage/identity-providers/google.mdx b/manage/identity-providers/google.mdx
index b9bf022..70ba03a 100644
--- a/manage/identity-providers/google.mdx
+++ b/manage/identity-providers/google.mdx
@@ -3,6 +3,10 @@ title: "Google"
 description: "Configure Google Single Sign-On"
 ---
 
+<Note>
+Google SSO is only available on Pangolin Cloud and Enterprise deployments. In enterprise, you must enable `use_org_only_idp` in your [private config file](/self-host/advanced/private-config-file#param-use-org-only-idp) `privateConfig.yml`.
+</Note>
+
 The following steps will integrate Google SSO using the built in Google identity provider in Pangolin.
 
 <iframe
diff --git a/self-host/advanced/cloudflare-proxy.mdx b/self-host/advanced/cloudflare-proxy.mdx
index 96ef504..22ffc73 100644
--- a/self-host/advanced/cloudflare-proxy.mdx
+++ b/self-host/advanced/cloudflare-proxy.mdx
@@ -131,3 +131,11 @@ server:
 </Warning>
 
 After making these changes, restart both Traefik and Pangolin for the configuration to take effect.
+
+### Troubleshooting
+
+If websockets are not connecting like from newt or clients, ensure that websockets are enabled in Cloudflare:
+
+<Frame>
+  <img src="/images/cf_websocket_box.png" width="600" centered/>
+</Frame>
\ No newline at end of file
diff --git a/self-host/advanced/config-file.mdx b/self-host/advanced/config-file.mdx
index 7af91be..9a94222 100644
--- a/self-host/advanced/config-file.mdx
+++ b/self-host/advanced/config-file.mdx
@@ -34,6 +34,9 @@ flags:
 <Warning>
 
 Generate a strong secret for `server.secret`. Use at least 32 characters with a mix of letters, numbers, and special characters.
+
+If you need to CHANGE the server secret after the server has been started you must use the `pangctl rotate-server-secret` command to re-encrypt sensitive data. [Follow docs here](/self-host/advanced/container-cli-tool#rotate-server-secret).
+
 </Warning>
 
 ## Reference
@@ -262,6 +265,9 @@ This section contains the complete reference for all configuration options in `c
 
       <Warning>
         Generate a strong, random secret. This is used for encrypting sensitive data and should be kept secure.
+        
+        If you need to CHANGE the server secret after the server has been started you must use the `pangctl rotate-server-secret` command to re-encrypt sensitive data. [Follow docs here](/self-host/advanced/container-cli-tool#rotate-server-secret).
+       
       </Warning>
     </ResponseField>
 
@@ -710,6 +716,12 @@ This section contains the complete reference for all configuration options in `c
         When enabled, only advanced WireGuard configurations are allowed.
       </Note>
     </ResponseField>
+    
+    <ResponseField name="disable_product_help_banners" type="boolean">
+	  Whether to disable product help banners in the UI at the top of screens.
+
+      **Default**: `false`
+    </ResponseField>
 
     <ResponseField name="disable_config_managed_domains" type="boolean">
       Whether to disable domains managed through the configuration file.
diff --git a/self-host/advanced/container-cli-tool.mdx b/self-host/advanced/container-cli-tool.mdx
index 8cd8d10..0065ea8 100644
--- a/self-host/advanced/container-cli-tool.mdx
+++ b/self-host/advanced/container-cli-tool.mdx
@@ -81,3 +81,40 @@ This command performs a critical operation that affects all encrypted data in yo
 - After rotation, you must restart the server for the new secret to take effect
 - Using `--force` with an incorrect old secret will cause the rotation to fail or corrupt encrypted data
 </Warning>
+
+## Clear License Keys
+
+Clear all license keys from the database:
+
+```bash
+docker exec -it pangolin pangctl clear-license-keys
+```
+
+<Warning>
+This command permanently deletes all license keys from the database. This action cannot be undone.
+</Warning>
+
+## Delete Client
+
+Delete a client and all associated data (OLMs, current fingerprint, userClients, approvals). Snapshots are preserved.
+
+```bash
+docker exec -it pangolin pangctl delete-client --orgId "org-123" --niceId "client-identifier"
+```
+
+### Options
+
+- `--orgId` (required): The organization ID
+- `--niceId` (required): The client niceId (identifier)
+
+<Warning>
+This command permanently deletes the client and its associated data:
+- All OLMs (One-time Login Mechanisms) associated with the client
+- Current fingerprint entries
+- Approval records
+- UserClient associations
+
+**Note:** Snapshots are preserved and will not be deleted.
+
+This action cannot be undone. Ensure you have backups if needed.
+</Warning>
diff --git a/self-host/advanced/private-config-file.mdx b/self-host/advanced/private-config-file.mdx
new file mode 100644
index 0000000..4093e83
--- /dev/null
+++ b/self-host/advanced/private-config-file.mdx
@@ -0,0 +1,206 @@
+---
+title: "Private Configuration File"
+description: "Configure advanced Pangolin settings using the privateConfig.yml file for enterprise features"
+---
+
+The `privateConfig.yml` file provides advanced configuration options for enterprise deployments. This file is mounted at `config/privateConfig.yml` in your Docker container.
+
+<Note>
+The private configuration file is only used on enterprise deployments. If you're using Pangolin Community, refer to the [main configuration file documentation](/self-host/advanced/config-file) instead. The private config file is not required.
+</Note>
+
+## Setting up your `privateConfig.yml`
+
+Here's a basic example with common settings:
+
+```yaml title="private-config.yml"
+flags:
+  use_org_only_idp: false
+
+branding:
+  app_name: "My Company Portal"
+  hide_auth_layout_footer: false
+```
+
+## Reference
+
+This section contains the complete reference for all configuration options in `private-config.yml`.
+
+### Application Settings
+
+<ResponseField name="app" type="object">
+  Regional and base domain configuration for multi-region deployments.
+
+  <Expandable title="properties">
+    <ResponseField name="region" type="string" default="default">
+      The region identifier for this Pangolin instance. Used for multi-region deployments.
+      
+      ```yaml
+      app:
+        region: "us-east-1"
+      ```
+    </ResponseField>
+  </Expandable>
+</ResponseField>
+
+### Server Configuration
+
+<ResponseField name="server" type="object">
+  Advanced server configuration including encryption keys and API integrations.
+
+  <Expandable title="properties">
+    <ResponseField name="encryption_key_path" type="string" default="./config/encryption.pem" required>
+      Path to the RSA private key used for encrypting sensitive data. Must be at least 8 characters long. THIS IS ONLY USED WITH pangolin_dns FEATURE FLAG ENABLED AND REQUIRES EXTERNAL COMPONENTS.
+      
+      ```yaml
+      server:
+        encryption_key_path: "./config/encryption.pem"
+      ```
+      
+		<Warning>
+		The `encryption_key_path` must point to a valid RSA key file. Generate one using:
+		```bash
+		openssl genrsa -out encryption.pem 4096
+		```
+		Keep this key secure and backed up - it encrypts sensitive data in your database.
+		</Warning>
+    </ResponseField>
+  </Expandable>
+</ResponseField>
+
+### Redis Configuration
+
+<ResponseField name="redis" type="object">
+  Redis connection settings for caching, sessions, and rate limiting. Useful for clustering Pangolin nodes.
+
+  <Expandable title="properties">
+    <ResponseField name="host" type="string" required>
+      Redis server hostname or IP address.
+      
+      ```yaml
+      redis:
+        host: "redis.example.com"
+      ```
+    </ResponseField>
+
+    <ResponseField name="port" type="number" required>
+      Redis server port (1-65535).
+      
+      ```yaml
+      redis:
+        port: 6379
+      ```
+    </ResponseField>
+
+    <ResponseField name="password" type="string">
+      Redis authentication password.
+      
+      ```yaml
+      redis:
+        password: "your-secure-password"
+      ```
+    </ResponseField>
+
+    <ResponseField name="db" type="number" default="0">
+      Redis database number (0-15 typically).
+      
+      ```yaml
+      redis:
+        db: 0
+      ```
+    </ResponseField>
+
+    <ResponseField name="replicas" type="array">
+      Array of read replica configurations for high-availability deployments.
+      
+      ```yaml
+      redis:
+        host: "redis-primary"
+        port: 6379
+        replicas:
+          - host: "redis-replica-1"
+            port: 6379
+            password: "replica-password"
+            db: 0
+          - host: "redis-replica-2"
+            port: 6379
+            password: "replica-password"
+            db: 0
+      ```
+      
+      <Expandable title="replica properties">
+        <ResponseField name="host" type="string" required>
+          Replica server hostname.
+        </ResponseField>
+        
+        <ResponseField name="port" type="number" required>
+          Replica server port.
+        </ResponseField>
+        
+        <ResponseField name="password" type="string">
+          Replica authentication password.
+        </ResponseField>
+        
+        <ResponseField name="db" type="number" default="0">
+          Database number on replica.
+        </ResponseField>
+      </Expandable>
+    </ResponseField>
+  </Expandable>
+</ResponseField>
+
+### Gerbil Tunnel Configuration
+
+<ResponseField name="gerbil" type="object">
+  Configuration for the Gerbil tunnel exit node integration.
+
+  <Expandable title="properties">
+    <ResponseField name="local_exit_node_reachable_at" type="string" default="http://gerbil:3004">
+      URL where the local Gerbil exit node can be reached by Pangolin. Useful when clustering multiple pangolin nodes. Overrides the value stored in the database. Useful when using Docker and address the local gerbil container using the host's address.
+      
+      ```yaml
+      gerbil:
+        local_exit_node_reachable_at: "http://gerbil:3004"
+      ```
+    </ResponseField>
+  </Expandable>
+</ResponseField>
+
+### Feature Flags
+
+<ResponseField name="flags" type="object">
+  Feature toggles for advanced functionality.
+
+  <Expandable title="properties">
+    <ResponseField name="use_org_only_idp" type="boolean" default="false">
+      Restrict identity provider (IdP) authentication to organization-level only.
+      
+      ```yaml
+      flags:
+        use_org_only_idp: true
+      ```
+    </ResponseField>
+    
+    <ResponseField name="enable_redis" type="boolean" default="false">
+      Enable Redis for caching and session management. Requires `redis` configuration.
+      
+      ```yaml
+      flags:
+        enable_redis: true
+      ```
+    </ResponseField>
+
+    <ResponseField name="use_pangolin_dns" type="boolean" default="false">
+      Use Pangolin DNS servers for client connections instead of external DNS servers for DNS delegation and CNAME setups. Used for clustering Pangolin nodes. REQUIRES EXTERNAL COMPONENTS. PLEASE CONTACT SUPPORT TO OBTAIN ACCESS BEFORE ENABLING.
+      
+      ```yaml
+      flags:
+        use_pangolin_dns: true
+      ```
+    </ResponseField>
+  </Expandable>
+</ResponseField>
+
+### Branding Configuration
+
+Please refer to the [branding configuration documentation](/manage/branding).
\ No newline at end of file