okta · thomascavanagh-okta · May 5, 2026 · May 7, 2026 · May 8, 2026 · May 13, 2026
@@ -101,10 +101,30 @@ An [app sign-in policy](https://developer.okta.com/docs/api/openapi/okta-managem
 
 You can create an app sign-in policy specifically for the app or create a few policies and [share them](https://help.okta.com/okta_help.htm?type=oie&id=ext-share-auth-policy) across multiple apps.
 
-Use the [App sign-in policies page](https://help.okta.com/okta_help.htm?type=oie&id=ext-create-auth-policy) to modify an app's sign-in policy or switch to a different policy. See [Configure a global session policy and an app sign-in policy](/docs/guides/configure-signon-policy/main/). Also, you can [merge duplicate app sign-in policies with identical rules](https://help.okta.com/okta_help.htm?type=oie&id=ext-merge-auth-policies) to simplify policy management.
+Use the [App sign-in policies page](https://help.okta.com/okta_help.htm?type=oie&id=ext-create-auth-policy) to modify an app's sign-in policy or switch to a different policy. See [Configure a global session policy and an app sign-in policy](/docs/guides/configure-signon-policy/main/). Also, you can [merge duplicate app sign-in policies with identical rules](https://help.okta.com/okta_help.htm?type=oie&id=policy-branches) to simplify policy management.
 
 > **Note:** API service apps aren't automatically assigned a default app sign-in policy. You must explicitly assign an app sign-in policy to each API service app.
 
+##### Staged policy branches
+
+<ApiLifecycle access="ea" /><ApiLifecycle access="ie" />
+
+> **Note:** This functionality is available as a self-service Early Access (EA) feature for Identity Engine orgs. To use it, enable the Change management for app sign-in policies feature. See [Self-service features](/docs/concepts/feature-lifecycle-management/#self-service-features).
+
+App sign-in policies support branching which allows you to create and monitor staged branches. With staged policy branches, you draft, test, and deploy policy changes without affecting end users until you're satisfied that the staged policy is ready to go live.
+
+An app sign-in policy can have one of the following branch states:
+
+* **Live branch:** The set of policy rules that are currently enforced. This is the standard branch state for an app sign-in policy.
+* **Staged branch:** A copy of the live policy that you've modified. Rules in a staged branch aren't evaluated or enforced until you push the branch to make it live.
+* **Archived branch:** A set of policy rules that were previously live. When you push a staged branch to make it live, the previous live branch is archived.
+
+Enable monitoring on a staged branch to evaluate its rules against real user traffic without enforcing them. This lets you assess the impact of your changes before deploying them.
+
+To configure staged branches for an app sign-in policy, see [Manage staged app sign-in policy branches](https://help.okta.com/okta_help.htm?type=oie&id=ext-staged-policy-branches).
+
+The Policies API exposes branch operations under `/api/v1/policies/{policyId}/branches`. The `okta.policies.manage` scope is required to perform these operations. See [Policies](https://developer.okta.com/docs/api/openapi/okta-management/management/tags/policy).
+
 #### Okta account management policy
 
 <ApiLifecycle access="ie" />

@@ -50,13 +50,19 @@ You can specify any number of global session policies and the order in which the
 
 In addition to the global session policy, you can configure app sign-in policies for each app for extra levels of authentication. You can also [share app sign-in policies across multiple apps](https://help.okta.com/okta_help.htm?type=oie&id=ext-share-auth-policy).
 
-When you add an app, a shared default policy is automatically assigned to it. This policy has a single catch-all rule that allows a user access with two factors. You can add as many rules to the default policy as you need. However, remember that the changes are applied to both new and existing apps that are assigned to the shared default policy.
+When you add an app, a shared default policy is automatically assigned to it. This policy has a single catch-all rule that allows a user access with two factors. You can add as many rules to the default policy as you need. But there can be only one app sign-in policy per app.
+
+Remember that any changes to the default app sign-in policy are applied to both new and existing apps that are assigned to the shared default policy.
+
+You don’t have to use the default app sign-in policy. You can create a policy specifically for an app, or you can [add an app to another existing shared policy](https://help.okta.com/okta_help.htm?type=oie&id=ext-share-auth-policy). If you change an app’s sign-in requirements, you can modify its policy or switch to a different shared policy. You can do this by using the [App sign-in policies page](https://help.okta.com/okta_help.htm?type=oie&id=ext-create-auth-policy).
 
 > **Note:** API service apps aren't automatically assigned a default app sign-in policy. You must explicitly assign an app sign-in policy to each API service app.
 
-You don’t have to use the default app sign-in policy. You can create a policy specifically for an app, or you can [add an app to another existing shared policy](https://help.okta.com/okta_help.htm?type=oie&id=ext-share-auth-policy). If you change an app’s sign-on requirements, you can modify its policy or switch to a different shared policy. You can do this by using the [App sign-in policies page](https://help.okta.com/okta_help.htm?type=oie&id=ext-create-auth-policy).
+#### Policy branching
+
+<ApiLifecycle access="ea" /><ApiLifecycle access="ie" />
 
-> **Note:** There can be only one app sign-in policy per app.
+App sign-in policies support branching. You can create and monitor staged branches, which lets you draft, test, and deploy policy changes without affecting end users until you're ready. See [Staged policy branches](/docs/concepts/policies/#staged-policy-branches).
 
 ## Configure sign-on policies for common scenarios
 

@@ -28,11 +28,13 @@ If you need a simple app for testing, see [Sign users in to your SPA using the r
 
 You can use the Policy API to simulate real-world user requests to access an app. In the Admin Console, these simulations are run using the Access Testing Tool available from **Reports** > **Access testing tool**. See [Access Testing Tool](https://help.okta.com/okta_help.htm?type=oie&id=ext-access-test-tool). The API endpoint that underpins this tool is also available for developers to simulate policy configurations and to test app access. For full details on the API endpoint, see the [Policy API reference](https://developer.okta.com/docs/api/openapi/okta-management/management/tag/Policy/#tag/Policy/operation/createPolicySimulation).
 
-The policy simulations run access tests based on existing policy configurations and which rules and settings are matched to create the authentication and enrollment requirements. Results of the tests determine individual or group access to an app. You can simulate matches for the following types of policies and rules:
+The policy simulations run access tests based on existing policy configurations and which rules and settings are matched to create the authentication and enrollment requirements. Results of the tests determine individual or group access to an app.
+
+You can simulate matches for the following types of policies and rules:
 
 * App sign-in policies
 * Authenticator enrollment policies
-* Global Session Policies
+* Global session policies
 * User enrollment policies for apps
 
 For background information on policies, see [Policies](/docs/concepts/policies) and [Global session and app sign-in policies](/docs/guides/configure-signon-policy/main/).