diff --git a/site/app/images/aiapps.svg b/site/app/images/aiapps.svg
new file mode 100644
index 00000000..204be734
--- /dev/null
+++ b/site/app/images/aiapps.svg
@@ -0,0 +1,159 @@
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 width="100%" viewBox="0 0 230 215" enable-background="new 0 0 230 215" xml:space="preserve">
+<path fill="#F6F6F6" opacity="1.000000" stroke="none" 
+	d="
+M1.000000,105.000000 
+	C1.000000,70.000008 1.000000,35.500011 1.000000,1.000014 
+	C77.666649,1.000009 154.333298,1.000009 230.999954,1.000005 
+	C230.999969,72.666634 230.999969,144.333267 230.999985,215.999939 
+	C154.333374,215.999954 77.666763,215.999954 1.000070,215.999969 
+	C1.000000,179.166672 1.000000,142.333328 1.000000,105.000000 
+M76.500000,8.999713 
+	C67.338486,9.005629 58.173328,8.847980 49.016216,9.051785 
+	C30.417807,9.465719 14.316283,24.920807 14.134081,43.444565 
+	C13.783480,79.088867 13.811124,114.740891 14.117112,150.385971 
+	C14.272846,168.527649 29.733059,184.386963 47.857243,184.818390 
+	C70.499367,185.357391 93.163658,185.035355 115.817055,184.886017 
+	C117.467056,184.875153 119.979851,183.597305 120.504951,182.277374 
+	C121.029564,180.958649 119.855522,178.663300 118.900116,177.122208 
+	C117.158623,174.313095 114.633476,171.943329 113.166603,169.022934 
+	C111.560074,165.824509 109.403740,164.922058 106.031860,164.944199 
+	C88.042084,165.062286 70.051071,165.023376 52.060574,164.991150 
+	C40.616615,164.970657 34.020424,158.446701 34.010605,147.091278 
+	C33.981792,113.775467 33.985527,80.459595 34.008339,47.143761 
+	C34.016350,35.447018 40.521286,29.013248 52.321167,29.006716 
+	C85.470421,28.988363 118.619705,28.986746 151.768967,29.007614 
+	C163.518204,29.015011 169.972839,35.482521 169.993057,47.235619 
+	C170.019989,62.894020 170.094086,78.553429 169.939804,94.210358 
+	C169.895935,98.660278 171.065308,101.239555 176.046463,101.131454 
+	C177.984268,101.089386 179.995392,101.725876 181.878342,102.342621 
+	C188.673157,104.568237 190.025940,103.621948 190.029678,96.344612 
+	C190.038162,79.853271 190.059921,63.361870 190.025635,46.870602 
+	C189.978943,24.419048 174.496948,9.022137 151.960907,9.004291 
+	C127.140617,8.984634 102.320305,8.999747 76.500000,8.999713 
+M168.207703,194.324142 
+	C169.502823,197.558655 170.689560,200.842346 172.127762,204.011932 
+	C173.253906,206.493759 174.803650,207.005646 176.298111,204.213379 
+	C176.843689,203.193970 177.263153,202.100967 177.674026,201.016479 
+	C187.415833,175.304169 187.036240,176.577148 211.798004,166.949265 
+	C213.672943,166.220276 215.392197,165.090912 218.278885,163.571121 
+	C215.720139,162.206421 214.382004,161.344284 212.934372,160.747864 
+	C208.179977,158.789062 203.406525,156.872574 198.602295,155.039673 
+	C191.020554,152.147095 185.772858,146.992294 182.884293,139.379700 
+	C181.059937,134.571838 179.129440,129.801437 177.116684,125.069466 
+	C176.478058,123.568062 175.420517,122.244843 173.742401,119.522255 
+	C170.816132,126.696930 168.268219,132.387238 166.163147,138.236923 
+	C163.078873,146.807739 157.357956,152.489151 148.813202,155.540527 
+	C143.971802,157.269409 139.207520,159.224060 134.464996,161.211792 
+	C133.508713,161.612595 132.806885,162.620529 131.987747,163.348557 
+	C132.812546,164.230042 133.478363,165.446060 134.492935,165.928207 
+	C137.183899,167.207001 139.961578,168.388855 142.818237,169.218674 
+	C155.537262,172.913345 164.576782,180.319412 168.207703,194.324142 
+M56.038250,110.517059 
+	C53.981541,117.006401 51.848495,123.473389 49.935371,130.004791 
+	C49.571983,131.245392 49.561718,133.168961 50.281235,134.039948 
+	C52.554577,136.791855 60.757812,134.805740 61.922745,131.365738 
+	C63.079094,127.951065 64.117149,124.496330 65.185928,121.125839 
+	C76.216255,121.125839 86.859673,121.125839 97.765022,121.125839 
+	C98.939201,124.755348 100.011719,128.390900 101.299179,131.948669 
+	C102.322891,134.777573 108.022614,136.364059 111.708038,134.854889 
+	C115.294403,133.386292 113.502769,130.680252 112.808243,128.497238 
+	C105.911476,106.819626 99.005295,85.144348 91.938599,63.521755 
+	C88.595978,53.294056 91.003578,54.666439 79.415100,54.340946 
+	C75.406090,54.228344 73.510323,55.553162 72.309372,59.449608 
+	C67.125336,76.269081 61.623936,92.990738 56.038250,110.517059 
+M143.979156,132.013779 
+	C143.985992,108.218132 143.858887,84.421074 144.108688,60.627975 
+	C144.160843,55.660740 142.489410,54.354904 137.783875,54.371658 
+	C133.118774,54.388268 131.867645,56.039776 131.907913,60.556164 
+	C132.109650,83.185249 131.953110,105.817375 132.078705,128.447556 
+	C132.090332,130.540634 132.968933,134.298950 133.842636,134.420273 
+	C137.148911,134.879364 141.092010,136.800842 143.979156,132.013779 
+z"/>
+<path fill="#010101" opacity="1.000000" stroke="none" 
+	d="
+M77.000000,8.999713 
+	C102.320305,8.999747 127.140617,8.984634 151.960907,9.004291 
+	C174.496948,9.022137 189.978943,24.419048 190.025635,46.870602 
+	C190.059921,63.361870 190.038162,79.853271 190.029678,96.344612 
+	C190.025940,103.621948 188.673157,104.568237 181.878342,102.342621 
+	C179.995392,101.725876 177.984268,101.089386 176.046463,101.131454 
+	C171.065308,101.239555 169.895935,98.660278 169.939804,94.210358 
+	C170.094086,78.553429 170.019989,62.894020 169.993057,47.235619 
+	C169.972839,35.482521 163.518204,29.015011 151.768967,29.007614 
+	C118.619705,28.986746 85.470421,28.988363 52.321167,29.006716 
+	C40.521286,29.013248 34.016350,35.447018 34.008339,47.143761 
+	C33.985527,80.459595 33.981792,113.775467 34.010605,147.091278 
+	C34.020424,158.446701 40.616615,164.970657 52.060574,164.991150 
+	C70.051071,165.023376 88.042084,165.062286 106.031860,164.944199 
+	C109.403740,164.922058 111.560074,165.824509 113.166603,169.022934 
+	C114.633476,171.943329 117.158623,174.313095 118.900116,177.122208 
+	C119.855522,178.663300 121.029564,180.958649 120.504951,182.277374 
+	C119.979851,183.597305 117.467056,184.875153 115.817055,184.886017 
+	C93.163658,185.035355 70.499367,185.357391 47.857243,184.818390 
+	C29.733059,184.386963 14.272846,168.527649 14.117112,150.385971 
+	C13.811124,114.740891 13.783480,79.088867 14.134081,43.444565 
+	C14.316283,24.920807 30.417807,9.465719 49.016216,9.051785 
+	C58.173328,8.847980 67.338486,9.005629 77.000000,8.999713 
+z"/>
+<path fill="#030303" opacity="1.000000" stroke="none" 
+	d="
+M168.095367,193.956421 
+	C164.576782,180.319412 155.537262,172.913345 142.818237,169.218674 
+	C139.961578,168.388855 137.183899,167.207001 134.492935,165.928207 
+	C133.478363,165.446060 132.812546,164.230042 131.987747,163.348557 
+	C132.806885,162.620529 133.508713,161.612595 134.464996,161.211792 
+	C139.207520,159.224060 143.971802,157.269409 148.813202,155.540527 
+	C157.357956,152.489151 163.078873,146.807739 166.163147,138.236923 
+	C168.268219,132.387238 170.816132,126.696930 173.742401,119.522255 
+	C175.420517,122.244843 176.478058,123.568062 177.116684,125.069466 
+	C179.129440,129.801437 181.059937,134.571838 182.884293,139.379700 
+	C185.772858,146.992294 191.020554,152.147095 198.602295,155.039673 
+	C203.406525,156.872574 208.179977,158.789062 212.934372,160.747864 
+	C214.382004,161.344284 215.720139,162.206421 218.278885,163.571121 
+	C215.392197,165.090912 213.672943,166.220276 211.798004,166.949265 
+	C187.036240,176.577148 187.415833,175.304169 177.674026,201.016479 
+	C177.263153,202.100967 176.843689,203.193970 176.298111,204.213379 
+	C174.803650,207.005646 173.253906,206.493759 172.127762,204.011932 
+	C170.689560,200.842346 169.502823,197.558655 168.095367,193.956421 
+z"/>
+<path fill="#040404" opacity="1.000000" stroke="none" 
+	d="
+M56.138145,110.132523 
+	C61.623936,92.990738 67.125336,76.269081 72.309372,59.449608 
+	C73.510323,55.553162 75.406090,54.228344 79.415100,54.340946 
+	C91.003578,54.666439 88.595978,53.294056 91.938599,63.521755 
+	C99.005295,85.144348 105.911476,106.819626 112.808243,128.497238 
+	C113.502769,130.680252 115.294403,133.386292 111.708038,134.854889 
+	C108.022614,136.364059 102.322891,134.777573 101.299179,131.948669 
+	C100.011719,128.390900 98.939201,124.755348 97.765022,121.125839 
+	C86.859673,121.125839 76.216255,121.125839 65.185928,121.125839 
+	C64.117149,124.496330 63.079094,127.951065 61.922745,131.365738 
+	C60.757812,134.805740 52.554577,136.791855 50.281235,134.039948 
+	C49.561718,133.168961 49.571983,131.245392 49.935371,130.004791 
+	C51.848495,123.473389 53.981541,117.006401 56.138145,110.132523 
+M77.002502,84.505470 
+	C74.449661,92.516121 71.896820,100.526764 69.246727,108.842575 
+	C77.743874,108.842575 85.662163,108.842575 93.946808,108.842575 
+	C89.850281,96.213837 85.831551,83.824951 81.553146,70.635521 
+	C79.905777,75.576820 78.545998,79.655487 77.002502,84.505470 
+z"/>
+<path fill="#010101" opacity="1.000000" stroke="none" 
+	d="
+M143.917633,132.465973 
+	C141.092010,136.800842 137.148911,134.879364 133.842636,134.420273 
+	C132.968933,134.298950 132.090332,130.540634 132.078705,128.447556 
+	C131.953110,105.817375 132.109650,83.185249 131.907913,60.556164 
+	C131.867645,56.039776 133.118774,54.388268 137.783875,54.371658 
+	C142.489410,54.354904 144.160843,55.660740 144.108688,60.627975 
+	C143.858887,84.421074 143.985992,108.218132 143.917633,132.465973 
+z"/>
+<path fill="#F2F2F2" opacity="1.000000" stroke="none" 
+	d="
+M77.094360,84.119812 
+	C78.545998,79.655487 79.905777,75.576820 81.553146,70.635521 
+	C85.831551,83.824951 89.850281,96.213837 93.946808,108.842575 
+	C85.662163,108.842575 77.743874,108.842575 69.246727,108.842575 
+	C71.896820,100.526764 74.449661,92.516121 77.094360,84.119812 
+z"/>
+</svg>
\ No newline at end of file
diff --git a/site/app/styles/_overrides.scss b/site/app/styles/_overrides.scss
index 5b79d0c3..be5834ec 100644
--- a/site/app/styles/_overrides.scss
+++ b/site/app/styles/_overrides.scss
@@ -38,7 +38,7 @@ $color-partners: #7a5144;
 $color-templates: #EC407A;
 
 $icon-administration: 'administration.svg';
-$icon-aiapps: 'dataapps.svg';
+$icon-aiapps: 'aiapps.svg';
 $icon-dataapps: 'dataapps.svg';
 $icon-developers: 'developers.svg';
 $icon-embedding: 'embedding.svg';
@@ -61,7 +61,7 @@ $icon-templates: 'workbook-template.svg';
 @include codelab-card(['use-cases'], $color-use-cases, $icon-use-cases);
 @include codelab-card(['functions'], $color-functions, $icon-functions);
 @include codelab-card(['partners'], $color-partners, $icon-partners);
-@include codelab-card(['templates'], $color-templates, $icon-templates); 
+@include codelab-card(['templates'], $color-templates, $icon-templates);
 
 /** Categories in Use (so far):
 Administration
diff --git a/site/sigmaguides/src/security_oauth_pkce_secure_integration/security_oauth_pkce_secure_integration.md b/site/sigmaguides/src/security_oauth_pkce_secure_integration/security_oauth_pkce_secure_integration.md
index 1a3fd826..85b1e639 100644
--- a/site/sigmaguides/src/security_oauth_pkce_secure_integration/security_oauth_pkce_secure_integration.md
+++ b/site/sigmaguides/src/security_oauth_pkce_secure_integration/security_oauth_pkce_secure_integration.md
@@ -85,6 +85,30 @@ Here's how OAuth 2.0 works when a user accesses embedded Sigma content:
 <strong>KEY BENEFIT:</strong><br> OAuth 2.0 separates authentication from authorization, allowing fine-grained access control without sharing credentials.
 </aside>
 
+### Connection-Level vs Organization-Level OAuth
+
+When implementing OAuth with Sigma, you have two primary approaches for managing authentication:
+
+**Connection-Level OAuth:**
+- Each user authenticates individually with the data platform (Databricks, Snowflake, etc.)
+- Tokens are scoped to specific connections
+- **Supports PKCE for enhanced security** (this is the key advantage)
+- Ideal for embedded scenarios where user identity and individual permissions matter
+- Each query runs with the authenticated user's credentials
+- Provides the strongest audit trail and access control
+
+**Organization-Level OAuth:**
+- Uses a single service account or shared credentials for all users
+- All users query through the same organizational identity
+- Does not support PKCE
+- Simpler initial setup but less granular access control
+- Better for scenarios where all users have identical data permissions
+- Requires implementing Row-Level Security (RLS) separately if user-specific data access is needed
+
+<aside class="positive">
+<strong>IMPORTANT:</strong><br> Sigma supports PKCE exclusively for connection-level OAuth. This is a key reason to choose connection-level authentication when implementing embedded analytics with user-specific data access requirements and enhanced security needs.
+</aside>
+
 ### Why OAuth 2.0 for Sigma Deployments?
 
 **Security:**<br>
@@ -186,12 +210,14 @@ Consider an enterprise scenario where you want to embed Sigma dashboards into yo
 - Used for API requests
 - Included in request headers
 - Should never be logged or stored long-term
+- **Sigma Storage:** Access tokens are stored in buffer and encrypted using envelope encryption with AES256
 
 **Refresh Tokens**
-- Longer-lived (days to months)
+- Longer-lived (up to 90 days)
 - Used to obtain new access tokens
 - Must be stored securely
 - Can be revoked by authorization server
+- **Sigma Storage:** Refresh tokens are stored in MySQL, encrypted using unique keys per customer. Encryption keys are housed in a separate key store for enhanced security
 
 **Token Expiration Flow in Sigma**
 1. User views embedded Sigma dashboard, Sigma queries data with access token
@@ -256,29 +282,35 @@ OAuth 2.0 uses "scopes" to define what access a token grants. When Sigma integra
 ## Integration Architecture Patterns
 Duration: 10
 
-### Pattern 1: Direct User Authentication
+### Pattern 1: Connection-Level OAuth with PKCE (Direct User Authentication)
 
-**Scenario:** Users authenticate directly with data platform before accessing Sigma
+**Scenario:** Users authenticate directly with data platform before accessing Sigma using connection-level OAuth with PKCE
 
 **Flow:**
 1. User accesses embedded Sigma dashboard in your application
-2. Application redirects to Databricks OAuth login page
-3. User logs in with their Databricks credentials
-4. Databricks issues access token to your application
-5. Application passes token to Sigma via embed API
-6. Sigma queries Databricks using user's individual token and permissions
+2. Application generates PKCE code challenge and redirects to data platform OAuth login (e.g., Databricks)
+3. User logs in with their data platform credentials
+4. Data platform issues access token to your application after validating PKCE verifier
+5. Application passes encrypted token to Sigma via embed API
+6. Sigma queries data platform using user's individual token and permissions
 
 **Pros:**
+- **Supports PKCE for enhanced security** - protects against authorization code interception
 - True user-level access control in Sigma - each user sees only their authorized data
 - Complete audit trail showing exactly which user ran which Sigma queries
 - No credential management in your application or Sigma connections
-- Leverages Databricks Unity Catalog row-level security automatically
+- Leverages platform-native security (e.g., Databricks Unity Catalog row-level security)
+- Strongest security posture for embedded analytics
 
 **Cons:**
-- Requires all users to have individual Databricks accounts (licensing cost)
+- Requires all users to have individual data platform accounts (licensing cost)
 - Additional login step interrupts embedded Sigma user experience
 - More complex token management logic in your application
 
+<aside class="positive">
+<strong>RECOMMENDED FOR:</strong><br> Connection-level OAuth with PKCE is the preferred approach when security, auditability, and user-specific data access are primary requirements. This is the only pattern that supports PKCE in Sigma.
+</aside>
+
 ### Pattern 2: Service Account with Row-Level Security
 
 **Scenario:** Sigma connects using shared service account, data filtered by user attributes
@@ -326,12 +358,13 @@ Duration: 10
 
 ### Choosing the Right Pattern for Sigma
 
-**Use Direct Authentication when:**
-- You need strongest security and auditability for Sigma usage
-- Users already have individual data platform accounts
+**Use Connection-Level OAuth with PKCE (Pattern 1) when:**
+- You need the strongest security posture with PKCE protection
 - Regulatory compliance requires tracking which user ran which Sigma query
+- Users already have individual data platform accounts
 - Data sensitivity is very high (healthcare, financial)
 - You want to leverage platform-native permissions in Sigma dashboards
+- Enhanced security against authorization code interception is required
 
 **Use Service Account with RLS when:**
 - Embedding Sigma for external customers who don't have platform accounts
@@ -499,4 +532,4 @@ Be sure to check out all the latest developments at [Sigma's First Friday Featur
 
 ![Footer](assets/sigma_footer.png)
 <!-- END OF WHAT WE COVERED -->
-<!-- END OF QUICKSTART -->
+<!-- END OF QUICKSTART -->
\ No newline at end of file