diff --git a/website/content/docs/api-gateway/index.mdx b/website/content/docs/api-gateway/index.mdx
index d00e54bf7..a5bfd9dc8 100644
--- a/website/content/docs/api-gateway/index.mdx
+++ b/website/content/docs/api-gateway/index.mdx
@@ -38,7 +38,7 @@ are used, see the [documentation in our GitHub repo](https://github.com/hashicor
| [`Gateway`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.Gateway) |
- Supported protocols: `HTTP`, `HTTPS`, `TCP`
- Header-based hostname matching (no SNI support)
- Supported filters: header addition, removal, and setting
- TLS modes supported: `terminate`
- Certificate types supported: `core/v1/Secret`
- Extended options: TLS version and cipher constraints
|
| [`HTTPRoute`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute) | - Weight-based load balancing
- Supported rules: path, header, query, and method-based matching
- Supported filters: header addition, removal, and setting
- Supported backend types:
- `core/v1/Service` (must map to a registered Consul service)
- `api-gateway.consul.hashicorp.com/v1alpha1/MeshService`
|
| [`TCPRoute`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute) | - Supported backend types:
- `core/v1/Service` (must map to a registered Consul service)
- `api-gateway.consul.hashicorp.com/v1alpha1/MeshService`
|
-| [`ReferencePolicy`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.ReferencePolicy) | - Required to allow any reference from a `Gateway` to a Kubernetes `core/v1/Secret` in a different namespace.
- Required to allow any reference from an `HTTPRoute` or `TCPRoute` to a Kubernetes `core/v1/Service` in a different namespace.
- A route with an unpermitted BackendRef caused by the lack of a ReferencePolicy sets a `ResolvedRefs` status to `False` with the reason `RefNotPermitted`. The gateway listener rejects routes with an unpermitted BackendRef.
- WARNING: If a route BackendRef becomes unpermitted, the entire route is removed from the gateway listener.
- A BackendRef can become unpermitted when you delete a Reference Policy or add a new unpermitted BackendRef to an existing route.
|
+| [`ReferencePolicy`](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.ReferencePolicy) | - Required to allow any reference from a `Gateway` to a Kubernetes `core/v1/Secret` in a different namespace.
- A Gateway with an unpermitted CertificateRef caused by the lack of a ReferencePolicy sets a `ResolvedRefs` status to `False` with the reason `InvalidCertificateRef`. The Gateway will not become ready in this case.
- Required to allow any reference from an `HTTPRoute` or `TCPRoute` to a Kubernetes `core/v1/Service` in a different namespace.
- A route with an unpermitted BackendRef caused by the lack of a ReferencePolicy sets a `ResolvedRefs` status to `False` with the reason `RefNotPermitted`. The gateway listener rejects routes with an unpermitted BackendRef.
- WARNING: If a route BackendRef becomes unpermitted, the entire route is removed from the gateway listener.
- A BackendRef can become unpermitted when you delete a Reference Policy or add a new unpermitted BackendRef to an existing route.
|
## Additional Resources