ngrok · nijikokun · Jan 10, 2025 · Jan 10, 2025
diff --git a/docs/integrations/amazon/oauth.mdx b/docs/integrations/amazon/oauth.mdx
@@ -2,6 +2,8 @@
 description: Authenticate users with Amazon OAuth
 ---
 
+import ConfigExample from "/src/components/ConfigExample.tsx";
+
 # Amazon OAuth
 
 ## Configure Login with Amazon
@@ -24,11 +26,57 @@ The step-by-step instructions below follow Amazon's documentation on [Register f
 5.  On the **Security Profile** page, click **Edit**, enter `https://idp.ngrok.com/oauth2/callback` in the **Allowed Return URLs** field, and then click **Save**.
     ![](/img/howto/oauth/2-amazon-register.png)
 
-### Update your ngrok edge configuration
+### Update your ngrok endpoint configuration
+
+1. Access the [ngrok Dashboard Endpoints page](https://dashboard.ngrok.com/endpoints?sortBy=createdAt&orderBy=desc) and locate an existing endpoint you'd like to add this to or create a new one.
+2. In your traffic policy, add the following configuration:
+
+<ConfigExample
+	snippetText={null}
+	showLineNumbers={true}
+	yamlMetastring="{4-10}"
+	jsonMetastring="{5-15}"
+	config={{
+		on_http_request: [
+			{
+				actions: [
+					{
+						type: "oauth",
+						config: {
+							provider: "amazon",
+							client_id: "{your app's OAuth client id}",
+							client_secret: "{your app's OAuth client secret}",
+							scopes: ["profile"],
+						},
+					},
+				],
+			},
+		],
+	}}
+/>
+
+3. Click **Save** to validate and update your traffic policy.
+
+4. Optionally, configure access control to your service by only allowing specific users or domains.
 
-1.  Access the [ngrok Dashboard](https://dashboard.ngrok.com/), sign in, create or edit an edge, and click **OAuth** to enable the OAuth configuration.
-2.  Select **Amazon** in the **Identity Provider** selector and then enter the **Client ID** and **Client Secret** values you copied previously in the corresponding fields.
-3.  Click **Save**.
+<ConfigExample
+	snippetText="Only allow access to [email protected]. Add this after your OAuth Action."
+	showLineNumbers={true}
+	config={{
+		on_http_request: [
+			{
+				expressions: [
+					"!(actions.ngrok.oauth.identity.email in ['[email protected]'])",
+				],
+				actions: [
+					{
+						type: "deny",
+					},
+				],
+			},
+		],
+	}}
+/>
 
 ### Additional application setup information
 

diff --git a/docs/traffic-policy/actions/oauth.mdx b/docs/traffic-policy/actions/oauth.mdx
@@ -2,6 +2,7 @@ import ActionBehavior from "/traffic-policy/actions/oauth/behavior.mdx";
 import ActionConfig from "/traffic-policy/actions/oauth/config.mdx";
 import ActionExamples from "/traffic-policy/actions/oauth/examples/index.mdx";
 import ActionOverview from "/traffic-policy/actions/oauth/index.mdx";
+import Pricing from "/traffic-policy/actions/oauth/pricing.mdx";
 import ActionVariables from "/traffic-policy/actions/oauth/variables.mdx";
 import ActionVariablesDescription from "/traffic-policy/common/action-variables-description.mdx";
 
@@ -16,3 +17,5 @@ import ActionVariablesDescription from "/traffic-policy/common/action-variables-
 
 <ActionVariablesDescription />
 <ActionVariables />
+
+<Pricing />
diff --git a/traffic-policy/actions/oauth/behavior.mdx b/traffic-policy/actions/oauth/behavior.mdx
@@ -24,27 +24,24 @@ prompt them to try logging in again.
 **If the user successfully authenticates with the identity provider**, ngrok
 will take the following actions:
 
-- Check any authorization constraints you've defined (like allowed
-  emails or allowed email domains). If the user is not authorized, ngrok renders
-  an error and prompts them to try logging in again.
 - Sets a [session cookie](#cookies) to avoid repeating the authentication flow again.
 - Redirects the user to the original URI path they were attempting to access
   before the authentication flow began. If no such URI path was captured, they
   are redirected to `/`.
+- Continue processing the rest of the traffic policy actions.
 
 ### Continuous Authorization
 
 When an authenticated user makes a request, ngrok will sometimes refresh a
 user's data from the identity provider (email, name, etc) and re-evaluate
-authorization constraints. This refresh is executed as a backchannel request to
+authorization constraints. This refresh is executed as a back channel request to
 the identity provider; it is transparent to the user and they do not go through
-a reauthentication flow.
+a re-authentication flow.
 
 The following circumstances trigger refresh and authorization re-evaluation:
 
-- On a periodic interval defined by the [userinfo_refresh_interval](/docs/traffic-policy/actions/oauth/#configuration-fields) parameter.
-- If you update the OAuth configuration of the endpoint by restarting your
-  agent with a new configuration.
+- On a periodic interval defined by the [`userinfo_refresh_interval`](/docs/traffic-policy/actions/oauth/#configuration-fields) parameter.
+- If you update the OAuth configuration of the endpoint either in the agent or through the dashboard.
 - If you update the OAuth configuration of the endpoint.
 
 If a previously authenticated user becomes unauthorized because their identity

diff --git a/traffic-policy/actions/oauth/config.mdx b/traffic-policy/actions/oauth/config.mdx
@@ -111,13 +111,11 @@ When this action is enabled, it populates the following fields in the
 | `oauth.user.id`       |
 | `oauth.user.name`     |
 
-### Pricing
-
-Identity actions are limited to 2,000 requests with actions applied per month. Additional actions are available in ngrok's pay-as-you-go plan.
-
 ### Supported Providers {#supported-providers}
 
-ngrok currently supports the following OAuth providers (see the Integration Guides for more details):
+ngrok currently supports the following OAuth providers (see the Integration Guides for more details). In some instances, ngrok has a
+[managed application](#managed-applications) that allows you to configure OAuth without setting up your own application in your provider. This is useful for testing and
+development, but when you move into production, we recommend using your own custom application in your specific provider.
 
 | Provider  | Provider Identifier | Managed App Available | Integration Guide                                    |
 | --------- | ------------------- | --------------------- | ---------------------------------------------------- |
@@ -132,7 +130,8 @@ ngrok currently supports the following OAuth providers (see the Integration Guid
 
 ### Required Scopes
 
-This is a list of the minimum required scopes for each provider. You can use this when configuring up your identity provider:
+This is a list of the minimum required scopes for each provider. You can use this when configuring your identity provider. These are not
+required when using the ngrok managed applications.
 
 | Provider  | Scopes                                                                                               |
 | --------- | ---------------------------------------------------------------------------------------------------- |

diff --git a/traffic-policy/actions/oauth/pricing.mdx b/traffic-policy/actions/oauth/pricing.mdx