diff --git a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/index.mdx b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/index.mdx
index e08968f5edba45..de6cae9d4f8c14 100644
--- a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/index.mdx
+++ b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/index.mdx
@@ -11,7 +11,7 @@ description: Authenticated Origin Pulls helps ensure requests to your origin
 
 import { FeatureTable } from "~/components"
 
-Authenticated Origin Pulls helps ensure requests to your origin server come from the Cloudflare network, which provides an additional layer of security on top of [Full](/ssl/origin-configuration/ssl-modes/full/) or [Full (strict)](/ssl/origin-configuration/ssl-modes/full-strict/) encryption modes.
+Authenticated Origin Pulls (AOP) helps ensure requests to your origin server come from the Cloudflare network, which provides an additional layer of security on top of [Full](/ssl/origin-configuration/ssl-modes/full/) or [Full (strict)](/ssl/origin-configuration/ssl-modes/full-strict/) encryption modes.
 
 This authentication becomes particularly important with the [Cloudflare Web Application Firewall (WAF)](/waf/). Together with the WAF, you can make sure that **all traffic** is evaluated before receiving a response from your origin server.
 
diff --git a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level.mdx b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level.mdx
index bbc2d95e082a4c..b6f293472638d1 100644
--- a/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level.mdx
+++ b/src/content/docs/ssl/origin-configuration/authenticated-origin-pull/set-up/zone-level.mdx
@@ -11,12 +11,19 @@ head:
 
 import { AvailableNotifications, Render } from "~/components"
 
-When you enable Authenticated Origin Pulls for a zone, all proxied traffic to your zone is authenticated at the origin web server.
+When you enable Authenticated Origin Pulls (AOP) for a zone, all proxied traffic to your zone is authenticated at the origin web server.
 
 ## Before you begin
 
 Make sure your zone is using an [SSL/TLS encryption mode](/ssl/origin-configuration/ssl-modes/) of **Full** or higher.
 
+:::caution
+
+Zone-level AOP certificates are also applied to [custom hostnames](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/) configured on a Cloudflare for SaaS zone.
+If you need a different AOP certificate to apply to different custom hostnames, use [Per-hostname AOP](/ssl/origin-configuration/authenticated-origin-pull/set-up/per-hostname/).
+
+:::
+
 ## 1. Upload certificate to origin
 
 First, upload a certificate to your origin.