diff --git a/developer/roc-api.rst b/developer/roc-api.rst
index 2708450..2ba3605 100644
--- a/developer/roc-api.rst
+++ b/developer/roc-api.rst
@@ -15,7 +15,7 @@
 .. note:: Opening this in a browser will display a HTML view of the API (powered by *ReDoc*).
 
     To access the raw YAML format use
-    ``curl -H "Accept: application/yaml" http://localhost:8183/aether-roc-api/aether-3.0.0-openapi3.yaml``
+    ``curl -H "Accept: application/yaml" http://localhost:8183/aether-roc-api/aether-4.0.0-openapi3.yaml``
     This YAML format can be imported in to various different tools e.g. |postman_link|
 
 Background
@@ -33,10 +33,10 @@
 
 Endpoints are named based on the type of object. Some examples:
 
-* `GET http://roc/aether/v3.0.0/connectivity-service-v3/enterprise/`. Get a list of enterprises.
-* `GET http://roc/aether/v3.0.0/connectivity-service-v3/enterprise/Starbucks`. Get the Starbucks enterprise.
-* `POST http://roc/aether/v3.0.0/connectivity-service-v3/enterprise`. Create a new enterprise.
-* `PATCH http://roc/aether/v3.0.0/connectivity-service-v3/site/Starbucks-NewYork`. Update the Starbucks New York site.
+* `GET http://roc/aether/v4.0.0/connectivity-service-v3/enterprise/`. Get a list of enterprises.
+* `GET http://roc/aether/v4.0.0/connectivity-service-v3/enterprise/Starbucks`. Get the Starbucks enterprise.
+* `POST http://roc/aether/v4.0.0/connectivity-service-v3/enterprise`. Create a new enterprise.
+* `PATCH http://roc/aether/v4.0.0/connectivity-service-v3/site/Starbucks-NewYork`. Update the Starbucks New York site.
 
 This document is a high-level description of the objects that can be interacted with. For a
 low-level description, see the specification (:ref:`developer/roc-api:Access` section above).
@@ -48,6 +48,10 @@
 the scope of a particular type of object. For example, a site may be named `foo` and a device-group
 may also be named `foo`, and the two names do not conflict because they are different object types.
 
+In addition to the `id`, most identifiable objects also include a `display-name`. The `display-name`
+may be changed at any time by the user without affecting behavior. In contrast, the `id` is immutable,
+and the only way to change an `id` is to delete the object and make a new one.
+
 Some objects contain references to other objects. For example, many objects contain references to
 the `Enterprise` object, which allows them to be associated with a particular enterprise. References
 are constructed using the `id` field of the referenced object. It is an error to attempt to create
@@ -99,6 +103,24 @@
      `CCCNNNEEESSSSSS` will construct IMSIs using a 3-digit MCC, 3-digit MNC, 3-digit ENT, and a
      6-digit subscriber.
 
+* `small-cell` A list of 5G gNodeB or Access Point or Radios. Each small cell has the following:
+
+    * `small-cell-id`. Identifier for the small cell. Serves the same purpose as other `id` fields.
+    * `address`. Hostname of the small cell.
+    * `tac`. Type Allocation Code.
+    * `enable`. If set to `true`, the small cell is enabled. Otherwise, it is disabled.
+
+* `monitoring` Configuration of how the monitoring framework of the site can be connected:
+
+    * `edge-cluster-prometheus-url` the URL of the site's Edge cluster Prometheus service
+    * `edge-monitoring-prometheus-url` the URL of the site's Edge monitoring Prometheus service
+    * `edge-device` a list of monitoring devices that verify end-to-end connectivity
+
+        * `edge-device-id` the identifier of the edge monitoring device. Serves the same purpose as other `id` fields.
+        * `display-name` the user-friendly name for the edge device. It is recommended that the short hostname
+          be used for the `display-name` as a convention.
+        * `description` an optional description
+
 Device-Group
 ~~~~~~~~~~~~
 
@@ -108,15 +130,25 @@
 * `imsis`. A list of IMSI ranges. Each range has the following
   fields:
 
-   * `name`. Name of the range. Used as a key.
+   * `imsi-id`. Identifier of the IMSI. Serves the same purpose as other `id` fields.
    * `imsi-range-from`. First subscriber in the range.
    * `imsi-range-to`. Last subscriber in the range. Can be omitted if the range only contains one
-     IMSI.
+     IMSI. It is recommended to not use this feature, and to represent all IMSIs as singletons. This
+     field will be deprecated in the future.
 * `ip-domain`. Reference to an `IP-Domain` object that describes the IP and DNS settings for UEs
   within this group.
 * `site`. Reference to the site where this `Device-Group` may be used. Indirectly identifies the
   `Enterprise` as `Site` contains a reference to `Enterprise`.
 
+* `device`. Per-device related QoS settings:
+
+   * `mbr`. The maximum bitrate in bits per second that the application will be limited to:
+
+      * `uplink` the `mbr` from device to slice
+      * `downlink` the `mbr` from slice to device
+
+   * `traffic-class`. The traffic class to be used for devices in this group.
+
 Virtual Cellular Service
 ~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -126,17 +158,23 @@
 * `device-group`. A list of `Device-Group` objects that can participate in this `VCS`. Each
   entry in the list contains both the reference to the `Device-Group` as well as an `enable`
   field which may be used to temporarily remove access to the group.
-* `application`. A list of `Application` objects that are either allowed or denied for this
+* `default-behavior`. May be set to either `ALLOW-ALL`, `DENY-ALL`, or `ALLOW-PUBLIC`. This is
+  the rule to use if no other rule in the filter matches. `ALLOW-PUBLIC` is a special alias
+  that denies all private networks and then allows everything else.
+* `filter`. A list of `Application` objects that are either allowed or denied for this
   `VCS`. Each entry in the list contains both a reference to the `Application` as well as an
-  `allow` field which can be set to `true` to allow the application or `false` to deny it.
-* `template`. Reference to the `Template` that was used to initialize this `VCS`.
+  `allow` field which can be set to `true` to allow the application or `false` to deny it. It
+  also has a `priority` field which can be used to order the applications when considering the
+  enforcing of their `allow` or `deny` conditions.
 * `upf`. Reference to the User Plane Function (`UPF`) that should be used to process packets
   for this `VCS`. It's permitted for multiple `VCS` to share a single `UPF`.
-* `ap`. Reference to an Access Point List (`AP-List`) that lists the access points for this
-  `VCS`.
 * `enterprise`. Reference to the `Enterprise` that owns this `VCS`.
-* `SST`, `SD`, `uplink`, `downlink`, `traffic-class`. Parameters that were initialized using the
-  `template`. They are described in the section for the `Template` model.
+* `site`. Reference to the `Site` where this `VCS` is deployed. Aether maintains the restriction
+  that the `Site` of the `UPF` and `Device-Group` must match the `Site` of the `VCS`.
+* `SST`, `SD`. Slice identifiers. These are assigned by Aether Operations.
+* `slice.mbr.uplink`, `slice.mbr.downlink`. Slice-total Uplink and downlink maximum bit rates in bps.
+* `slice.mbr.uplink-burst-size`, `slice.mbr.downlink-burst-size`. Maximum burst sizes in bytes for
+   the maximum bit rates.
 
 Application
 ~~~~~~~~~~~
@@ -144,39 +182,34 @@
 `Application` specifies an application and the endpoints for the application. Applications are
 the termination point for traffic from the UPF. Contains the following fields:
 
-* `endpoint`. A list of endpoints. Each has the following
-  fields:
+* `address`. The DNS name or IP address of the endpoint.
+* `endpoint`. A list of endpoints. Each has the following fields:
 
-   * `name`. Name of the endpoint. Used as a key.
-   * `address`. The DNS name or IP address of the endpoint.
-   * `port-start`. Starting port number.
-   * `port-end`. Ending port number.
-   * `protocol`. `TCP|UDP`, specifies the protocol for the endpoint.
+    * `name`. Name of the endpoint. Used as a key.
+    * `port-start`. Starting port number.
+    * `port-end`. Ending port number.
+    * `protocol`. `TCP|UDP`, specifies the protocol for the endpoint.
+    * `mbr`. The maximum bitrate in bits per second that UEs sending traffic to the application endpoint
+      will be limited to:
+
+        * `uplink` the `mbr` from device to application
+        * `downlink` the `mbr` from application to device
+
+    * `traffic-class`. Traffic class to be used when UEs send traffic to this Application endpoint.
+
 * `enterprise`. Link to an `Enterprise` object that owns this application. May be left empty
   to indicate a global application that may be used by multiple enterprises.
 
 Supporting Aether Objects
 -------------------------
 
-AP-List
-~~~~~~~
-
-`AP-List` specifies a list of access points (radios). It has the following fields:
-
-* `access-points`. A list of access points. Each access point has the following:
-
-    * `address`. Hostname of the access point.
-    * `tac`. Type Allocation Code.
-    * `enable`. If set to `true`, the access point is enabled. Otherwise, it is disabled.
-
-* `enterprise`. The `Enterprise` that owns these access points.
-
 Connectivity-Service
 ~~~~~~~~~~~~~~~~~~~~
 
 `Connectivity-Service` specifies the URL of an SD-Core control plane.
 
 * `core-5g-endpoint`. Endpoint of a `config4g` or `config5g` core.
+* `acc-prometheus-url`. Prometheus endpoint where metrics may be queried regarding this connectivity service.
 
 IP-Domain
 ~~~~~~~~~
@@ -197,15 +230,22 @@
 `Template` contains connectivity settings that are pre-configured by Aether Operations.
 Templates are used to initialize `VCS` objects. `Template` has the following fields:
 
+* `default-behavior`. May be set to either `ALLOW-ALL`, `DENY-ALL`, or `ALLOW-PUBLIC`. This is
+  the rule to use if no other rule in the VCS's application filter matches. `ALLOW-PUBLIC` is
+  a special alias that denies all private networks and then allows everything else.
 * `sst`, `sd`. Slice identifiers.
 * `uplink`, `downlink`. Guaranteed uplink and downlink bandwidth.
 * `traffic-class`. Link to a `Traffic-Class` object that describes the type of traffic.
+* `slice.mbr.uplink`, `slice.mbr.downlink`. Slice-total Uplink and downlink maximum bit rates in bps.
+* `slice.mbr.uplink-burst-size`, `slice.mbr.downlink-burst-size`. Maximum burst sizes in bytes for
+  the maximum bit rates.
 
 Traffic-Class
 ~~~~~~~~~~~~~
 
 Specifies the class of traffic. Contains the following:
 
+* `arp`. Allocation and Retention Priority.
 * `qci`. QoS class identifier.
 * `pelr`. Packet error loss rate.
 * `pdb`. Packet delay budget.
@@ -213,11 +253,14 @@
 UPF
 ~~~
 
-Specifies the UPF that should forward packets. Has the following fields:
+Specifies the UPF that should forward packets. A UPF can only be used by one VCS at a time.
+Has the following fields:
 
 * `address`. Hostname or IP address of UPF.
 * `port`. Port number of UPF.
 * `enterprise`. Enterprise that owns this UPF.
+* `site`. The Site that this UPF is located at.
+* `config-endpoint` URL for configuring the UPF
 
 .. |postman_link| raw:: html