diff --git a/docs/how-to/multicluster-gateways-walkthrough.md b/docs/how-to/multicluster-gateways-walkthrough.md
index 77dd30653..bb1c65935 100644
--- a/docs/how-to/multicluster-gateways-walkthrough.md
+++ b/docs/how-to/multicluster-gateways-walkthrough.md
@@ -357,6 +357,8 @@ So now we have a working gateway with DNS and TLS configured. Let place this gat
 If you want you can use ```watch dig echo.$MGC_ZONE_ROOT_DOMAIN``` to see the DNS switching between the two addresses
 
 ## Follow-on Walkthroughs
-Some good follow-on walkthroughs that build on this walkthrough
+Here are some good, follow-on guides that build on this walkthrough:
 
+* [Simple RateLimitPolicy for App Developers](./simple-ratelimitpolicy-for-app-developers.md)
+* [Simple AuthPolicy for App Developers](./simple-authpolicy-for-app-developers.md)
 * [Deploying/Configuring Metrics.](../how-to/metrics-walkthrough.md)
\ No newline at end of file
diff --git a/docs/how-to/ratelimitpolicy-walkthrough.md b/docs/how-to/ratelimitpolicy-walkthrough.md
deleted file mode 100644
index 64e41da6e..000000000
--- a/docs/how-to/ratelimitpolicy-walkthrough.md
+++ /dev/null
@@ -1,157 +0,0 @@
-# Simple Rate Limiting for Application Developers
-
-This user guide walks you through an example of how to configure rate limiting for an endpoint of an application using Kuadrant.
-
-<br/>
-
-In this guide, we will rate limit a sample REST API called **Toy Store**. In reality, this API is just an echo service that echoes back to the user whatever attributes it gets in the request. The API listens to requests at the hostname `api.toystore.com`, where it exposes the endpoints `GET /toys*` and `POST /toys`, respectively, to mimic a operations of reading and writing toy records.
-
-We will rate limit the `POST /toys` endpoint to a maximum of 5rp10s ("5 requests every 10 seconds").
-
-<br/>
-
-## Run the steps ① → ③
-
-### ① Setup
-
-This step uses tooling from the Kuadrant Operator component to create a containerized Kubernetes server locally using [Kind](https://kind.sigs.k8s.io),
-where it installs Istio, Kubernetes Gateway API and Kuadrant itself.
-
-> **Note:** In production environment, these steps are usually performed by a cluster operator with administrator privileges over the Kubernetes cluster.
-
-Clone the project:
-
-```sh
-git clone https://github.com/Kuadrant/kuadrant-operator && cd kuadrant-operator
-```
-
-Setup the environment:
-
-```sh
-make local-setup
-```
-
-Request an instance of Kuadrant:
-
-```sh
-kubectl -n kuadrant-system apply -f - <<EOF
-apiVersion: kuadrant.io/v1beta1
-kind: Kuadrant
-metadata:
-  name: kuadrant
-spec: {}
-EOF
-```
-
-### ② Deploy the Toy Store API
-
-Create the deployment:
-
-```sh
-kubectl apply -f examples/toystore/toystore.yaml
-```
-
-Create a HTTPRoute to route traffic to the service via Istio Ingress Gateway:
-
-![](https://i.imgur.com/rdN8lo3.png)
-
-```sh
-kubectl apply -f - <<EOF
-apiVersion: gateway.networking.k8s.io/v1beta1
-kind: HTTPRoute
-metadata:
-  name: toystore
-spec:
-  parentRefs:
-  - name: istio-ingressgateway
-    namespace: istio-system
-  hostnames:
-  - api.toystore.com
-  rules:
-  - matches:
-    - method: GET
-      path:
-        type: PathPrefix
-        value: "/toys"
-    backendRefs:
-    - name: toystore
-      port: 80
-  - matches: # it has to be a separate HTTPRouteRule so we do not rate limit other endpoints
-    - method: POST
-      path:
-        type: Exact
-        value: "/toys"
-    backendRefs:
-    - name: toystore
-      port: 80
-EOF
-```
-
-Verify the route works:
-
-```sh
-curl -H 'Host: api.toystore.com' http://localhost:9080/toys -i
-# HTTP/1.1 200 OK
-```
-
-> **Note**: If the command above fails to hit the Toy Store API on your environment, try forwarding requests to the service:
->
-> ```sh
-> kubectl port-forward -n istio-system service/istio-ingressgateway 9080:80 2>&1 >/dev/null &
-> ```
-
-### ③ Enforce rate limiting on requests to the Toy Store API
-
-Create a Kuadrant `RateLimitPolicy` to configure rate limiting:
-
-![](https://i.imgur.com/2A9sXXs.png)
-
-```sh
-kubectl apply -f - <<EOF
-apiVersion: kuadrant.io/v1beta2
-kind: RateLimitPolicy
-metadata:
-  name: toystore
-spec:
-  targetRef:
-    group: gateway.networking.k8s.io
-    kind: HTTPRoute
-    name: toystore
-  limits:
-    "create-toy":
-      rates:
-      - limit: 5
-        duration: 10
-        unit: second
-      routeSelectors:
-      - matches: # selects the 2nd HTTPRouteRule of the targeted route
-        - method: POST
-          path:
-            type: Exact
-            value: "/toys"
-EOF
-```
-
-> **Note:** It may take a couple of minutes for the RateLimitPolicy to be applied depending on your cluster.
-
-<br/>
-
-Verify the rate limiting works by sending requests in a loop.
-
-Up to 5 successful (`200 OK`) requests every 10 seconds to `POST /toys`, then `429 Too Many Requests`:
-
-```sh
-while :; do curl --write-out '%{http_code}' --silent --output /dev/null -H 'Host: api.toystore.com' http://localhost:9080/toys -X POST | egrep --color "\b(429)\b|$"; sleep 1; done
-```
-
-Unlimited successful (`200 OK`) to `GET /toys`:
-
-```sh
-while :; do curl --write-out '%{http_code}' --silent --output /dev/null -H 'Host: api.toystore.com' http://localhost:9080/toys | egrep --color "\b(429)\b|$"; sleep 1; done
-```
-
-## Cleanup
-
-```sh
-make local-cleanup
-```
diff --git a/docs/how-to/simple-authpolicy-for-app-developers.md b/docs/how-to/simple-authpolicy-for-app-developers.md
new file mode 100644
index 000000000..66fd6f412
--- /dev/null
+++ b/docs/how-to/simple-authpolicy-for-app-developers.md
@@ -0,0 +1,222 @@
+# Authenticated API for Application Developers
+
+This user guide walks you how to configure and protect Gateway API endpoints by declaring Kuadrant `AuthPolicy` custom resources.
+
+## Requirements
+
+- Complete the [Multicluster Gateways Walkthrough](./multicluster-gateways-walkthrough.md), and you'll have an environment configured with a Gateway that we'll use in this guide.
+
+## Setup
+
+### ①  Deploy the Toy Store API
+
+#### Create the Deployment
+
+> **Note:** You can skip this step and proceed to [Create the HTTPRoute](#create-the-httproute) if you've already deployed the Toy Store API as part of [the RateLimitPolicy for App Developers guide](./simple-ratelimitpolicy-for-app-developers.md#-deploy-the-toy-store-api).
+
+Create the deployments for both clusters (`kind-mgc-control-plane` & `kind-mgc-workload-1`) we've created previously in the [Multicluster Gateways Walkthrough](./multicluster-gateways-walkthrough.md):
+
+```sh
+for context in kind-mgc-control-plane kind-mgc-workload-1; do kubectl --context $context apply -f - <<EOF
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: toystore
+  labels:
+    app: toystore
+spec:
+  selector:
+    matchLabels:
+      app: toystore
+  template:
+    metadata:
+      labels:
+        app: toystore
+    spec:
+      containers:
+        - name: toystore
+          image: quay.io/3scale/authorino:echo-api
+          env:
+            - name: PORT
+              value: "3000"
+          ports:
+            - containerPort: 3000
+              name: http
+  replicas: 1
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: toystore
+spec:
+  selector:
+    app: toystore
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 3000
+EOF
+done
+```
+
+#### Create the HTTPRoute
+
+Create a HTTPRoute to route traffic to the service via our previously configured Gateway:
+
+![](https://i.imgur.com/rdN8lo3.png)
+
+```sh
+for context in kind-mgc-control-plane kind-mgc-workload-1; do kubectl --context $context apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: toystore
+spec:
+  parentRefs:
+    - kind: Gateway
+      name: prod-web
+      namespace: kuadrant-multi-cluster-gateways
+  hostnames:
+  - toystore.$MGC_ZONE_ROOT_DOMAIN
+  rules:
+  - matches:
+    - method: GET
+      path:
+        type: PathPrefix
+        value: "/cars"
+    - method: GET
+      path:
+        type: PathPrefix
+        value: "/dolls"
+    backendRefs:
+    - name: toystore
+      port: 80
+  - matches:
+    - path:
+        type: PathPrefix
+        value: "/admin"
+    backendRefs:
+    - name: toystore
+      port: 80
+EOF
+done
+```
+
+Send requests to the unprotected API:
+
+```sh
+curl -ik https://toystore.$MGC_ZONE_ROOT_DOMAIN/cars
+# HTTP/1.1 200 OK
+```
+
+```sh
+curl -ik https://toystore.$MGC_ZONE_ROOT_DOMAIN/dolls
+# HTTP/1.1 200 OK
+```
+
+```sh
+curl -ik https://toystore.$MGC_ZONE_ROOT_DOMAIN/admin
+# HTTP/1.1 200 OK
+```
+
+### ② Protect the API
+
+Create a a Kuadrant `AuthPolicy` to enforce the following auth rules:
+- **Authentication:**
+  - All users must present a valid API key when accessing the `admin` API
+- **Authorization:**
+  - `/admin*` routes require user mapped to the `admins` group (`kuadrant.io/groups=admins` annotation added to the Kubernetes API key Secret)
+
+```bash
+for context in kind-mgc-control-plane kind-mgc-workload-1; do kubectl --context $context apply -f - <<EOF
+apiVersion: kuadrant.io/v1beta1
+kind: AuthPolicy
+metadata:
+  name: toystore
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: toystore
+  rules:
+  - paths: ["/admin"]
+  authScheme:
+    identity:
+    - name: api-key-users
+      apiKey:
+        selector:
+          matchLabels:
+            app: toystore
+        allNamespaces: true
+      credentials:
+        in: authorization_header
+        keySelector: APIKEY
+    response:
+    - name: identity
+      json:
+        properties:
+        - name: userid
+          valueFrom:
+            authJSON: auth.identity.metadata.annotations.secret\.kuadrant\.io/user-id
+      wrapper: envoyDynamicMetadata
+EOF
+done
+```
+
+<details>
+  <summary>(Optional) Verify internal custom resources reconciled by Kuadrant</summary>
+  <br/>
+
+  Verify the Authorino AuthConfig created in association with the policy:
+
+  ```sh
+  kubectl get authconfig/ap-default-toystore -o yaml
+  ```
+</details>
+
+
+Create the API key:
+
+```sh
+for context in kind-mgc-control-plane kind-mgc-workload-1; do kubectl --context $context apply -f - <<EOF
+apiVersion: v1
+kind: Secret
+metadata:
+  name: api-key-admin-user
+  labels:
+    authorino.kuadrant.io/managed-by: authorino
+    app: toystore
+  annotations:
+    kuadrant.io/groups: admins
+stringData:
+  api_key: iamanadmin
+type: Opaque
+EOF
+done
+```
+
+Send requests to the API protected by Kuadrant:
+
+```sh
+curl -ik https://toystore.$MGC_ZONE_ROOT_DOMAIN/cars
+# HTTP/1.1 200 OK - Unprotected API
+```
+
+```sh
+curl -ik https://toystore.$MGC_ZONE_ROOT_DOMAIN/admin
+# HTTP/1.1 401 Unauthorized
+```
+
+```sh
+curl -ik -H 'Authorization: APIKEY iamanadmin' https://toystore.$MGC_ZONE_ROOT_DOMAIN/admin
+# HTTP/1.1 200 OK
+```
+
+
+## Next Steps
+
+Here are some good, follow-on guides that build on this walkthrough:
+
+* [Simple RateLimitPolicy for App Developers](./simple-ratelimitpolicy-for-app-developers.md)
+* [Deploying/Configuring Metrics.](../how-to/metrics-walkthrough.md)
\ No newline at end of file
diff --git a/docs/how-to/simple-ratelimitpolicy-for-app-developers.md.md b/docs/how-to/simple-ratelimitpolicy-for-app-developers.md.md
new file mode 100644
index 000000000..8a1bec5f0
--- /dev/null
+++ b/docs/how-to/simple-ratelimitpolicy-for-app-developers.md.md
@@ -0,0 +1,166 @@
+# Simple Rate Limiting for Application Developers
+
+This user guide walks you through an example of how to configure rate limiting for an endpoint of an application using Kuadrant.
+
+## Requirements
+
+- Complete the [Multicluster Gateways Walkthrough](./multicluster-gateways-walkthrough.md), and you'll have an environment configured with a Gateway that we'll use in this guide.
+
+## Overview
+
+In this guide, we will rate limit a sample REST API called **Toy Store**. In reality, this API is just an echo service that echoes back to the user whatever attributes it gets in the request. The API listens to requests at the hostname `api.$MGC_ZONE_ROOT_DOMAIN`, where it exposes the endpoints `GET /toys*` and `POST /toys`, respectively, to mimic a operations of reading and writing toy records.
+
+We will rate limit the `POST /toys` endpoint to a maximum of 5rp10s ("5 requests every 10 seconds").
+
+### ① Deploy the Toy Store API
+
+Create the deployments for both clusters we've created previously (`kind-mgc-control-plane` & `kind-mgc-workload-1`):
+
+```bash
+for context in kind-mgc-control-plane kind-mgc-workload-1; do kubectl --context $context apply -f - <<EOF
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: toystore
+  labels:
+    app: toystore
+spec:
+  selector:
+    matchLabels:
+      app: toystore
+  template:
+    metadata:
+      labels:
+        app: toystore
+    spec:
+      containers:
+        - name: toystore
+          image: quay.io/3scale/authorino:echo-api
+          env:
+            - name: PORT
+              value: "3000"
+          ports:
+            - containerPort: 3000
+              name: http
+  replicas: 1
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: toystore
+spec:
+  selector:
+    app: toystore
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 3000
+EOF
+done
+```
+
+Create a HTTPRoute to route traffic to the services via the Gateways:
+
+![](https://i.imgur.com/rdN8lo3.png)
+
+```sh
+for context in kind-mgc-control-plane kind-mgc-workload-1; do kubectl --context $context apply -f - <<EOF
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: HTTPRoute
+metadata:
+  name: toystore
+spec:
+  parentRefs:
+    - kind: Gateway
+      name: prod-web
+      namespace: kuadrant-multi-cluster-gateways
+  hostnames:
+  - toystore.$MGC_ZONE_ROOT_DOMAIN
+  rules:
+  - matches:
+    - method: GET
+      path:
+        type: PathPrefix
+        value: "/toys"
+    backendRefs:
+    - name: toystore
+      port: 80
+  - matches: # it has to be a separate HTTPRouteRule so we do not rate limit other endpoints
+    - method: POST
+      path:
+        type: Exact
+        value: "/toys"
+    backendRefs:
+    - name: toystore
+      port: 80
+EOF
+done
+```
+
+Verify the routes work:
+
+```sh
+curl -ik https://toystore.$MGC_ZONE_ROOT_DOMAIN/toys
+# HTTP/1.1 200 OK
+```
+
+Given the two clusters, and our previously created `DNSPolicy`, traffic with load balance between these clusters round-robin style. Load balancing here will be determined in part by DNS TTLs, so it can take a minute or two for requests to flow to both services.
+
+### ② Enforce rate limiting on requests to the Toy Store API
+
+Create a Kuadrant `RateLimitPolicy` to configure rate limiting:
+
+![](https://i.imgur.com/2A9sXXs.png)
+
+```sh
+for context in kind-mgc-control-plane kind-mgc-workload-1; do kubectl --context $context apply -f - <<EOF
+apiVersion: kuadrant.io/v1beta2
+kind: RateLimitPolicy
+metadata:
+  name: toystore
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: toystore
+  limits:
+    "create-toy":
+      rates:
+      - limit: 5
+        duration: 10
+        unit: second
+      routeSelectors:
+      - matches: # selects the 2nd HTTPRouteRule of the targeted route
+        - method: POST
+          path:
+            type: Exact
+            value: "/toys"
+EOF
+done
+```
+
+> **Note:** It may take a couple of minutes for the RateLimitPolicy to be applied depending on your cluster.
+
+<br/>
+
+Verify the rate limiting works by sending requests in a loop.
+
+Up to 5 successful (`200 OK`) requests every 10 seconds to `POST /toys`, then `429 Too Many Requests`:
+
+```sh
+while :; do curl --write-out '%{http_code}' --silent -k --output /dev/null https://toystore.$MGC_ZONE_ROOT_DOMAIN/toys -X POST | egrep --color "\b(429)\b|$"; sleep 1; done
+```
+
+Unlimited successful (`200 OK`) to `GET /toys`:
+
+```sh
+while :; do curl --write-out '%{http_code}' --silent -k  --output /dev/null https://toystore.$MGC_ZONE_ROOT_DOMAIN/toys | egrep --color "\b(429)\b|$"; sleep 1; done
+```
+
+## Next Steps
+
+Here are some good, follow-on guides that build on this walkthrough:
+
+* [Simple AuthPolicy for App Developers](./simple-authpolicy-for-app-developers.md)
+* [Deploying/Configuring Metrics.](../how-to/metrics-walkthrough.md)
\ No newline at end of file
