diff --git a/website/src/app/blog/apr-2024-update/readme.mdx b/website/src/app/blog/apr-2024-update/readme.mdx
index c7c3319cd..e1427c7c5 100644
--- a/website/src/app/blog/apr-2024-update/readme.mdx
+++ b/website/src/app/blog/apr-2024-update/readme.mdx
@@ -15,7 +15,7 @@ import Image from "next/image";
 - Firezone 1.0 signups are now open!
   [Sign up here](https://app.firezone.dev/sign_up) or
   [request a demo](/contact/sales).
-- New [Team plan](https://app.firezone.dev/pricing) at $5 user/month.
+- New [Team plan](https://www.firezone.dev/pricing) at $5 user/month.
 - [iOS](https://apps.apple.com/us/app/firezone/id6443661826) and
   [Android](https://play.google.com/store/apps/details?id=dev.firezone.android)
   apps are now available.
@@ -42,8 +42,8 @@ It was easy to get up and running quickly with Firezone, but as the number of
 users, devices, and networks to protect grew within an organization, so did the
 complexity of managing it all.
 
-So we went back to the whiteboard to reimagine how Firezone would look if
-we rebuilt it from the ground up The Right Way™ -- with scalability and ease of
+So we went back to the whiteboard to reimagine how Firezone would look if we
+rebuilt it from the ground up The Right Way™ -- with scalability and ease of
 use in mind.
 
 <div class="grid grid-cols-1 sm:grid-cols-2 gap-4">
@@ -166,8 +166,9 @@ documentation.
 
 #### High availability
 
-The first major feature in 1.0 we should discuss is high availability.
-Firezone achieves high availability by allowing you to deploy multiple Gateways within a given Site.
+The first major feature in 1.0 we should discuss is high availability. Firezone
+achieves high availability by allowing you to deploy multiple Gateways within a
+given Site.
 
 Each Firezone Gateway is a tiny, self-contained binary that needs
 [only a single environment](/kb/deploy/gateways) variable to function. Throw it
diff --git a/website/src/app/blog/mar-2024-update/readme.mdx b/website/src/app/blog/mar-2024-update/readme.mdx
index 97c97190e..04eaf901f 100644
--- a/website/src/app/blog/mar-2024-update/readme.mdx
+++ b/website/src/app/blog/mar-2024-update/readme.mdx
@@ -179,7 +179,7 @@ Like what you see and want to give Firezone a try?
 [Sign up now](https://app.firezone.dev/sign_up) and get started with up to 6
 users for free.
 
-Want to see Firezone in action? [Request a demo](/product/demo) if you'd like a
+Want to see Firezone in action? [Request a demo](/contact/sales) if you'd like a
 first-hand look at how Firezone can help your organization.
 
 That's all for this update!
diff --git a/website/src/app/blog/release-0-6-0/readme.mdx b/website/src/app/blog/release-0-6-0/readme.mdx
index 18bf6d2c7..eb16da50d 100644
--- a/website/src/app/blog/release-0-6-0/readme.mdx
+++ b/website/src/app/blog/release-0-6-0/readme.mdx
@@ -10,7 +10,7 @@ identity providers like Okta and OneLogin.
 ## Docker Support
 
 Docker is now the preferred method for deploying Firezone. Our
-[automatic install script](https://raw.githubusercontent.com/firezone/firezone/legacy/scripts/docker_install.sh)
+[automatic install script](https://raw.githubusercontent.com/firezone/firezone/legacy/scripts/install.sh)
 now uses Docker by default, and we even have a new
 [Docker migration script ](https://raw.githubusercontent.com/firezone/firezone/legacy/scripts/docker_migrate.sh)
 that will non-destructively migrate your Omnibus-based Firezone installation to
diff --git a/website/src/app/docs/authenticate/oidc/google/readme.mdx b/website/src/app/docs/authenticate/oidc/google/readme.mdx
index 67f52267b..c2df6023b 100644
--- a/website/src/app/docs/authenticate/oidc/google/readme.mdx
+++ b/website/src/app/docs/authenticate/oidc/google/readme.mdx
@@ -22,7 +22,8 @@ obtain the following config settings required for the integration:
    which returns a JSON document used to construct subsequent requests to this
    OIDC provider.
 
-<Image className="mx-auto"
+<Image
+  className="mx-auto"
   alt="firezone google sso login"
   src="/images/firezone-google-sso-login.gif"
   width={960}
@@ -39,7 +40,8 @@ belonging to users in your Google Workspace Organization can create device
 configs. DO NOT select `External` unless you want to enable anyone with a valid
 Google Account to create device configs.
 
-<Image className="mx-auto"
+<Image
+  className="mx-auto"
   alt="oauth consent internal"
   src="/images/oauth-consent-internal.png"
   width={960}
@@ -53,7 +55,8 @@ On the App information screen:
 1. **Application home page**: the URL of your Firezone instance.
 1. **Authorized domains**: the top level domain of your Firezone instance.
 
-<Image className="mx-auto"
+<Image
+  className="mx-auto"
   alt="oauth consent app info"
   src="/images/oauth-consent-app-info.png"
   width={960}
@@ -62,7 +65,8 @@ On the App information screen:
 
 On the next step add the following scopes:
 
-<Image className="mx-auto"
+<Image
+  className="mx-auto"
   alt="oauth consent scopes"
   src="/images/oauth-consent-scopes.png"
   width={960}
@@ -78,7 +82,8 @@ Visit the Google Cloud Console
 [Credentials page](https://console.cloud.google.com/apis/credentials) page,
 click `+ Create Credentials` and select `OAuth client ID`.
 
-<Image className="mx-auto"
+<Image
+  className="mx-auto"
   alt="create oauth client id"
   src="/images/create-oauth-client-id.png"
   width={960}
@@ -92,7 +97,8 @@ On the OAuth client ID creation screen:
    `https://firezone.example.com/auth/oidc/google/callback/`) as an entry to
    Authorized redirect URIs.
 
-<Image className="mx-auto"
+<Image
+  className="mx-auto"
   alt="create oauth client id"
   src="/images/create-oauth-client-id-2.png"
   width={960}
@@ -102,13 +108,6 @@ On the OAuth client ID creation screen:
 After creating the OAuth client ID, you will be given a Client ID and Client
 Secret. These will be used together with the redirect URI in the next step.
 
-<Image className="mx-auto"
-  alt="copy client id and secret"
-  src="/images/copy-client-id-and-secret.png"
-  width={960}
-  height={540}
-/>
-
 ## Step 3: Integrate with Firezone
 
 Navigate to the `/settings/security` page in the admin portal, click "Add OpenID
diff --git a/website/src/app/docs/authenticate/oidc/zitadel/readme.mdx b/website/src/app/docs/authenticate/oidc/zitadel/readme.mdx
index f8f3a93f5..92da79c40 100644
--- a/website/src/app/docs/authenticate/oidc/zitadel/readme.mdx
+++ b/website/src/app/docs/authenticate/oidc/zitadel/readme.mdx
@@ -22,29 +22,31 @@ settings required for the integration:
    which returns a JSON document used to construct subsequent requests to this
    OIDC provider.
 
-<Image className="mx-auto"
+<Image
+  className="mx-auto"
   alt="firezone zitadel sso login"
-  src="/images/firezone-zitadel-sso-login.gif"
+  src="/images/firezone-sso-zitadel-login.gif"
   width={960}
   height={540}
 />
 
 ## Requirements
 
-- Setup your own [Zitadel Cloud](https://zitadel.cloud) account.
+- Set up your own [Zitadel Cloud](https://zitadel.com) account.
 - Create your first Zitadel instance in the
   [Zitadel Customer portal](https://zitadel.cloud/admin/instances)
 - Login to your Zitadel instance and create a project (i.e. "Internal")
 
 More information about these steps can be found in
-[Zitadel's documentation](https://docs.zitadel.com/docs/guides/start/quickstart#try-out-zitadel-cloud).
+[Zitadel's documentation](https://zitadel.com/docs/guides/start/quickstart).
 
 ## Create Zitadel Application
 
 In the Instance Console, go to **Projects** and select the project you want,
 then click **New**.
 
-<Image className="mx-auto"
+<Image
+  className="mx-auto"
   alt="zitadel new application"
   src="/images/zitadel-new-application.png"
   width={960}
@@ -54,7 +56,8 @@ then click **New**.
 Give the application a name (e.g. "Firezone") and select **WEB** for the
 application type.
 
-<Image className="mx-auto"
+<Image
+  className="mx-auto"
   alt="zitadel name application"
   src="/images/zitadel-name-application.png"
   width={960}
@@ -63,7 +66,8 @@ application type.
 
 Select **CODE** for the authentication method.
 
-<Image className="mx-auto"
+<Image
+  className="mx-auto"
   alt="zitadel auth method"
   src="/images/zitadel-auth-method.png"
   width={960}
@@ -76,7 +80,8 @@ Specify the redirect URI and post logout URI.
    `https://vpn.example.com/auth/oidc/zitadel/callback/`)
 1. **Post Logout URIs**: `EXTERNAL_URL` (e.g. `https://vpn.example.com`)
 
-<Image className="mx-auto"
+<Image
+  className="mx-auto"
   alt="zitadel uri"
   src="/images/zitadel-uri.png"
   width={960}
@@ -85,7 +90,8 @@ Specify the redirect URI and post logout URI.
 
 Double-check the configuration, then click **Create**.
 
-<Image className="mx-auto"
+<Image
+  className="mx-auto"
   alt="zitadel configuration overview"
   src="/images/zitadel-configuration-overview.png"
   width={960}
@@ -95,7 +101,8 @@ Double-check the configuration, then click **Create**.
 Copy the **ClientId** and **ClientSecret** as it will be used for the Firezone
 configuration.
 
-<Image className="mx-auto"
+<Image
+  className="mx-auto"
   alt="zitadel client creds"
   src="/images/zitadel-client-creds.png"
   width={960}
@@ -105,7 +112,8 @@ configuration.
 In the application **Configuration** click **Refresh Token** and then on
 **Save**. The refresh token is optional for some features of Firezone.
 
-<Image className="mx-auto"
+<Image
+  className="mx-auto"
   alt="zitadel configuration"
   src="/images/zitadel-configuration.png"
   width={960}
@@ -115,7 +123,8 @@ In the application **Configuration** click **Refresh Token** and then on
 In the application **Token Settings** select **User roles inside ID Token** and
 **User Info inside ID Token**. Save it with a click on **Save**.
 
-<Image className="mx-auto"
+<Image
+  className="mx-auto"
   alt="zitadel token settings"
   src="/images/zitadel-token-settings.png"
   width={960}
@@ -141,7 +150,8 @@ project where your created your application. In **General** you can find **Check
 Authorization on Authentication** which allows only users with at least one role
 to login to Firezone.
 
-<Image className="mx-auto"
+<Image
+  className="mx-auto"
   alt="zitadel check authorization"
   src="/images/zitadel-check-authorization.png"
   width={960}
diff --git a/website/src/app/docs/reference/env-vars/readme.mdx b/website/src/app/docs/reference/env-vars/readme.mdx
index e148074a9..9f7c560dc 100644
--- a/website/src/app/docs/reference/env-vars/readme.mdx
+++ b/website/src/app/docs/reference/env-vars/readme.mdx
@@ -36,15 +36,15 @@ default). Required fields in **bold**.
 
 ### WebServer
 
-| Env Key                          | Description                                                                                                                                                                                                                                                                                                                                                                                      | Format            | Default |
-| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------- | ------- |
-| **EXTERNAL_URL**                 | The external URL the web UI will be accessible at.<br /> <br />Must be a valid and public FQDN for ACME SSL issuance to function.<br /> <br />You can add a path suffix if you want to serve firezone from a non-root path, eg: `https://firezone.mycorp.com/vpn/`.                                                                                                                              | string            |         |
-| PHOENIX_SECURE_COOKIES           | Enable or disable requiring secure cookies. Required for HTTPS.                                                                                                                                                                                                                                                                                                                                  | boolean           | true    |
-| PHOENIX_HTTP_PORT                | Internal port to listen on for the Phoenix web server.                                                                                                                                                                                                                                                                                                                                           | integer           | 13000   |
-| PHOENIX_HTTP_PROTOCOL_OPTIONS    | Allows to override Cowboy HTTP server options.<br /> <br />Keep in mind though changing those limits can pose a security risk. Other times, browsers and proxies along the way may have equally strict limits, which means the request will still fail or the URL will be pruned.<br /> <br />You can see all supported options at https://ninenines.eu/docs/en/cowboy/2.5/manual/cowboy\_http/. | JSON-encoded map  | `{}`    |
-| PHOENIX_EXTERNAL_TRUSTED_PROXIES | List of trusted reverse proxies.<br /> <br />This is used to determine the correct IP address of the client when the application is behind a reverse proxy by skipping a trusted proxy IP from a list of possible source IPs.                                                                                                                                                                    | JSON-encoded list | `"[]"`  |
-| PHOENIX_PRIVATE_CLIENTS          | List of trusted clients.<br /> <br />This is used to determine the correct IP address of the client when the application is behind a reverse proxy by picking a trusted client IP from a list of possible source IPs.                                                                                                                                                                            | JSON-encoded list | `"[]"`  |
-| HTTP_CLIENT_SSL_OPTS             | JSON-encoded ssl options to pass to Erlang's [`ssl` module](https://www.erlang.org/doc/man/ssl.html).<br />. Most users don't need to override many, if any, SSL opts. Most commonly this is to use custom cacert files and TLS versions for self-hosted OIDC providers.                                                                                                                         | JSON-encoded map  | `{}`    |
+| Env Key                          | Description                                                                                                                                                                                                                                                                                                                                                                                       | Format            | Default |
+| -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | ------- |
+| **EXTERNAL_URL**                 | The external URL the web UI will be accessible at.<br /> <br />Must be a valid and public FQDN for ACME SSL issuance to function.<br /> <br />You can add a path suffix if you want to serve firezone from a non-root path, eg: `https://firezone.mycorp.com/vpn/`.                                                                                                                               | string            |         |
+| PHOENIX_SECURE_COOKIES           | Enable or disable requiring secure cookies. Required for HTTPS.                                                                                                                                                                                                                                                                                                                                   | boolean           | true    |
+| PHOENIX_HTTP_PORT                | Internal port to listen on for the Phoenix web server.                                                                                                                                                                                                                                                                                                                                            | integer           | 13000   |
+| PHOENIX_HTTP_PROTOCOL_OPTIONS    | Allows to override Cowboy HTTP server options.<br /> <br />Keep in mind though changing those limits can pose a security risk. Other times, browsers and proxies along the way may have equally strict limits, which means the request will still fail or the URL will be pruned.<br /> <br />You can see all supported options at https://ninenines.eu/docs/en/cowboy/2.12/manual/cowboy_http2/. | JSON-encoded map  | `{}`    |
+| PHOENIX_EXTERNAL_TRUSTED_PROXIES | List of trusted reverse proxies.<br /> <br />This is used to determine the correct IP address of the client when the application is behind a reverse proxy by skipping a trusted proxy IP from a list of possible source IPs.                                                                                                                                                                     | JSON-encoded list | `"[]"`  |
+| PHOENIX_PRIVATE_CLIENTS          | List of trusted clients.<br /> <br />This is used to determine the correct IP address of the client when the application is behind a reverse proxy by picking a trusted client IP from a list of possible source IPs.                                                                                                                                                                             | JSON-encoded list | `"[]"`  |
+| HTTP_CLIENT_SSL_OPTS             | JSON-encoded ssl options to pass to Erlang's [`ssl` module](https://www.erlang.org/doc/man/ssl.html).<br />. Most users don't need to override many, if any, SSL opts. Most commonly this is to use custom cacert files and TLS versions for self-hosted OIDC providers.                                                                                                                          | JSON-encoded map  | `{}`    |
 
 ### Database
 
diff --git a/website/src/app/kb/administer/page.tsx b/website/src/app/kb/administer/page.tsx
new file mode 100644
index 000000000..17e7ffde0
--- /dev/null
+++ b/website/src/app/kb/administer/page.tsx
@@ -0,0 +1,17 @@
+import Content from "./readme.mdx";
+import { Metadata } from "next";
+import LastUpdated from "@/components/LastUpdated";
+
+export const metadata: Metadata = {
+  title: "Administer • Firezone Docs",
+  description: "Learn how to manage your Firezone deployment day-to-day.",
+};
+
+export default function Page() {
+  return (
+    <>
+      <Content />
+      <LastUpdated dirname={__dirname} />
+    </>
+  );
+}
diff --git a/website/src/app/kb/administer/readme.mdx b/website/src/app/kb/administer/readme.mdx
new file mode 100644
index 000000000..c1496b53f
--- /dev/null
+++ b/website/src/app/kb/administer/readme.mdx
@@ -0,0 +1,14 @@
+import SupportOptions from "@/components/SupportOptions";
+
+# Administer
+
+Helpful information for day-to-day administration of your Firezone deployment.
+
+## Table of Contents
+
+- [Upgrading Gateways](/kb/administer/upgrading-gateways)
+- [Backup and restore](/kb/administer/backup-restore)
+- [Viewing logs](/kb/administer/logs)
+- [Troubleshooting](/kb/administer/troubleshooting)
+
+<SupportOptions />
diff --git a/website/src/app/kb/architecture/core-components/readme.mdx b/website/src/app/kb/architecture/core-components/readme.mdx
index 1f400d150..677627bf9 100644
--- a/website/src/app/kb/architecture/core-components/readme.mdx
+++ b/website/src/app/kb/architecture/core-components/readme.mdx
@@ -174,7 +174,7 @@ functionality. For more information on deploying Gateways, see the
 Gateways can be downloaded from the following locations:
 
 - Binary: [GitHub releases](https://www.github.com/firezone/firezone/releases)
-- Docker: [GitHub Container Registry](ghcr.io/firezone/gateway)
+- Docker: `docker pull ghcr.io/firezone/gateway`
 
 ### Resources
 
diff --git a/website/src/app/kb/authenticate/directory-sync/readme.mdx b/website/src/app/kb/authenticate/directory-sync/readme.mdx
index abe3f2c60..8e958077a 100644
--- a/website/src/app/kb/authenticate/directory-sync/readme.mdx
+++ b/website/src/app/kb/authenticate/directory-sync/readme.mdx
@@ -1,5 +1,6 @@
 import Alert from "@/components/DocsAlert";
 import PlanBadge from "@/components/PlanBadge";
+import SupportOptions from "@/components/SupportOptions";
 
 <PlanBadge plans={["enterprise"]}>
 
@@ -17,15 +18,17 @@ identity provider every few minutes.
 
 ## How Firezone treats deleted entities
 
-Firezone **never** deletes entities synced from your identity provider. This
-helps to preserve audit trails and other logged activity within Firezone.
+When you delete a user or group in your identity provider, Firezone soft-deletes
+them upon the next sync. This prevents data duplication if a user or group is
+only temporarily suspended, and helps preserve logged activity within Firezone
+for auditing purposes.
 
 ### Deleting or suspending a user
 
 When a user is deleted or suspended in your identity provider, Firezone will
-disable the user and clear all active Client and admin portal web sessions for
-that user upon the next sync. The user will be **signed out of all Clients** and
-forced to reauthenticate.
+delete the associated identity the user signs in with, clearing all active
+Client and admin portal web sessions for that identity. The user will be
+immediately **signed out of all Client and admin portal sessions**.
 
 This ensures terminated employees will have all Firezone access revoked within a
 few minutes of deleting or suspending them in your identity provider.
@@ -33,15 +36,16 @@ few minutes of deleting or suspending them in your identity provider.
 ### Deleting a group or organizational unit
 
 When a group or organizational unit is deleted in your identity provider,
-Firezone will hide the group and delete any associated Policies.
+Firezone will delete the group and all associated Policies. Any access granted
+by those Policies **will be immediately revoked**.
 
 ## Nested groups and organizational units
 
-Firezone syncs transitive memberships from your identity provider. This means
-user membership for a particular group is determined not only by its immediate
-members, but any child groups as well. This allows you to create nested group
-structures in your identity provider and have their memberships automatically
-reflected in Firezone.
+Firezone syncs nested (sometimes called "transitive") memberships from your
+identity provider. This means user membership for a particular group is
+determined not only by its immediate members, but any child groups as well. This
+allows you to create nested group structures in your identity provider and have
+their memberships automatically reflected in Firezone.
 
 For example, if you had the following group structure in your identity provider:
 
@@ -75,3 +79,5 @@ Group:Support:
 Group:DevOps:
   - john@company.com
 ```
+
+<SupportOptions />
diff --git a/website/src/app/kb/authenticate/oidc/readme.mdx b/website/src/app/kb/authenticate/oidc/readme.mdx
index 18c9c996e..c452bacee 100644
--- a/website/src/app/kb/authenticate/oidc/readme.mdx
+++ b/website/src/app/kb/authenticate/oidc/readme.mdx
@@ -43,7 +43,7 @@ documentation for convenience:
 - [Onelogin](https://onelogin.service-now.com/support?id=kb_article&sys_id=2fd988e697b72150c90c3b0e6253af7f&kb_category=de885d2187372d10695f0f66cebb351f)
 - [Keycloak](https://www.keycloak.org/docs/latest/securing_apps/index.html#_oidc)
 - [Ory](https://www.ory.sh/docs/getting-started/ory-network-oauth2#authorization-code-grant)
-- [Authentik](https://www.ory.sh/docs/oauth2-oidc/authorization-code-f)
+- [Authentik](https://docs.goauthentik.io/docs/providers/oauth2/)
 
 ## Setting up the universal OIDC connector
 
diff --git a/website/src/app/kb/deploy/dns/readme.mdx b/website/src/app/kb/deploy/dns/readme.mdx
index 46d07c2a5..b29388d57 100644
--- a/website/src/app/kb/deploy/dns/readme.mdx
+++ b/website/src/app/kb/deploy/dns/readme.mdx
@@ -77,7 +77,7 @@ network.
 <Alert color="info">
   Custom resolvers such as
   [Cloudflare](https://developers.cloudflare.com/1.1.1.1/setup/#1111-for-families)
-  or [NextDNS](https://nextdns.io") can be used to block malware, ads, adult
+  or [NextDNS](https://nextdns.io) can be used to block malware, ads, adult
   material and other content for all users in your Firezone account.
 </Alert>
 
diff --git a/website/src/app/kb/quickstart/readme.mdx b/website/src/app/kb/quickstart/readme.mdx
index b9aca6e81..02aac1cb7 100644
--- a/website/src/app/kb/quickstart/readme.mdx
+++ b/website/src/app/kb/quickstart/readme.mdx
@@ -34,7 +34,7 @@ if you make a mistake or two.
 ## Prerequisites
 
 - Firezone account. Don't have an account?
-  [Sign up](https://app.firezone.dev/signup).
+  [Sign up](https://app.firezone.dev/sign_up).
 - Resource you want to give users secure access to (e.g. prod server, database
   SaaS application, or subnet)
 - Server or VM you're able to deploy a Docker container or Linux binary on that
@@ -43,7 +43,7 @@ if you make a mistake or two.
 ## Summary
 
 1. **Sign in to your Firezone Admin Portal** (e.g.
-   https://app.firezone.dev/example_company)
+   `https://app.firezone.dev/example_company`)
 1. **Create a Site** - Sites are where admins manage Resources, and Gateways
    that enable access to those Resources (e.g. US-West, Chicago-office).
 1. **Deploy a Gateway** - Gateways are Site-specific, and provide connectivity
diff --git a/website/src/app/kb/reference/faq/readme.mdx b/website/src/app/kb/reference/faq/readme.mdx
index ff139dca7..99830adc3 100644
--- a/website/src/app/kb/reference/faq/readme.mdx
+++ b/website/src/app/kb/reference/faq/readme.mdx
@@ -101,7 +101,7 @@ Firezone does not store or handle end-user credentials like passwords.
 
 #### Where should I run my Gateway(s)?
 
-Gateways are [released](https://github.com/firezonze/firezone/releases) as
+Gateways are [released](https://github.com/firezone/firezone/releases) as
 self-contained binaries for Linux that we package as a Docker image or systemd
 unit, which you can run on any Linux-based server or VM (e.g. on AWS, GCP,
 Azure, or on-premise). You only need a single Gateway in each Site to provide
@@ -130,7 +130,7 @@ traffic.
 
 Scaling Firezone to support your rapidly growing organization is as simple as
 deploying additional Gateway servers. See our
-[Terraform Gateway deployment examples](https://www.github.com/firezone/firezone/blob/terraform/examples)
+[Terraform Gateway deployment examples](https://github.com/firezone/firezone/tree/main/terraform/examples)
 for an idea of how to automate this process.
 
 #### What protocol does Firezone use to encrypt traffic?
diff --git a/website/src/app/kb/reference/glossary/readme.mdx b/website/src/app/kb/reference/glossary/readme.mdx
index c1b6148ea..d5dac7997 100644
--- a/website/src/app/kb/reference/glossary/readme.mdx
+++ b/website/src/app/kb/reference/glossary/readme.mdx
@@ -3,12 +3,12 @@
 **Account Slug**: A unique identifier for your Firezone account typically
 generated automatically during sign up. This is used in the URL for your
 Firezone admin portal, e.g.
-https://app.firezone.dev/**international-widget-corporation**. You can change
-your account slug by [contacting support](mailto:support@firezone.dev).
+`https://app.firezone.dev/international-widget-corporation`. You can change your
+account slug by [contacting support](mailto:support@firezone.dev).
 
 **Admin Portal**: The web-based interface where you can manage your Firezone
 account. You can access the admin portal at
-https://app.firezone.dev/**your-account-slug**.
+`https://app.firezone.dev/<your-account-slug>`.
 
 **Actor**: An Actor is a [user](/kb/deploy/users) or
 [service account](/kb/authenticate/service-accounts) that can authenticate to