Add intro and headings to how-to; other review suggestions

docs/explanation/api-and-clients.md

@@ -2,7 +2,7 @@
 
 The Pebble daemon exposes an API (HTTP over a unix socket) to allow remote clients to interact with the daemon. It can start and stop services, add configuration layers to the plan, and so on.
 
-If `pebble run` is started with the `--http <address>` option, Pebble also allows access to "untrusted" HTTP endpoints using the given TCP address. See "access control and identities" below.
+If `pebble run` is started with the `--http <address>` option, Pebble also allows access to "untrusted" HTTP endpoints using the given TCP address (see {ref}`api-access-levels` below).
 
 There is currently no official documentation for the API at the HTTP level (apart from the [code itself](https://github.com/canonical/pebble/blob/master/internals/daemon/api.go)!); most users will interact with it via the Pebble command line interface or by using the Go or Python clients.
 
@@ -13,21 +13,27 @@ We try to never change the underlying HTTP API in a backwards-incompatible way,
 In addition to the Go client, there's also a [Python client](https://github.com/canonical/operator/blob/master/ops/pebble.py) for the Pebble API that's part of the [`ops` library](https://github.com/canonical/operator) used by Juju charms ([documentation here](https://juju.is/docs/sdk/interact-with-pebble)).
 
 
-## Access control and identities
+(api-access-levels)=
+## API access levels
 
 API endpoints fall into one of three access levels, from least restricted to most restricted:
 
 * `untrusted`: these are allowed from any user, even unauthenticated users using the HTTP-over-TCP listener. The only untrusted endpoints are `/v1/system-info` and `/v1/health`.
-* `read`: these are allowed from any authenticated user, regardless of access levey. They are usually read operations that use the HTTP `GET` method, such as listing services or viewing notices.
+* `read`: these are allowed from any authenticated user, regardless of access level. They are usually read operations that use the HTTP `GET` method, such as listing services or viewing notices.
 * `admin`: these are only allowed from admin users. They are usually write or modify operations that use the HTTP `POST` method, such as adding a layer or starting a service.
 
 Pebble authenticates clients that connect to the socket API using peer credentials ([`SO_PEERCRED`](https://man7.org/linux/man-pages/man7/socket.7.html)) to determine the user ID (UID) of the connecting process. If this UID is 0 (root) or the UID of the Pebble daemon, the user's access level is `admin`, otherwise the access level is `read`.
 
 If Pebble can't authenticate the user at all, or if it's an unauthenticated user connecting over TCP, the user is considered `untrusted`.
 
-In addition to the default access control, Pebble admins can also set up named [identities](../reference/identities.md) with specific access levels using the identities CLI commands (see [how to manage identities](../how-to/manage-identities.md)).
 
-Currently the only identity type is `local`, that is, a local user ID determined using peer credentials. An example admin identity named "bob" is shown below:
+## Controlling API access using identities
+
+In addition to the default access control, Pebble admins can also set up named [identities](../reference/identities.md) with specific access levels using the identities CLI commands.
+
+Each identity has a name, an access level, and an authentication type with type-specific configuration.
+
+Currently the only authentication type is `local`, that is, a local user ID determined using peer credentials. An example admin identity named "bob" is shown below:
 
 ```yaml
 identities:
@@ -36,3 +42,5 @@ identities:
         local:
             user-id: 42
 ```
+
+Read [how to manage identities](../how-to/manage-identities.md) for more information.

docs/how-to/manage-identities.md

@@ -3,8 +3,13 @@
 
 Pebble uses named [identities](../reference/identities.md) to extend access to its [API](../explanation/api-and-clients.md).
 
+For example, let's say you're building a container-based system with one container running Pebble and the workload, and another container in the same user namespace talking to Pebble over the API. You may want to give API access to a non-root user -- that's where identities come in.
+
 By default any UID (user ID) connected to the API socket is a `read` user; UID 0 (root) or the UID of the Pebble server process gives `admin` access.
 
+
+## Add new identities
+
 To extend this to additional users, add named identities using the [`add-identities`](../reference/cli-commands/add-identities.md) command with a YAML file configuring the details. For example, to add a new admin "bob" with UID 42 and a new read user "alice" with UID 2000, prepare this file:
 
 ```yaml
@@ -27,6 +32,9 @@ and run the following command:
 Added 2 new identities.
 ```
 
+
+## Remove identities
+
 To remove existing identities, use [`remove-identities`](../reference/cli-commands/remove-identities.md)with a YAML file that has a `null` value for each identity you want to remove. For example, to remove "alice", prepare this file:
 
 ```yaml
@@ -42,6 +50,9 @@ and run the following command:
 Removed 1 identity.
 ```
 
+
+## Update or replace identities
+
 To update existing identities, use [`update-identities`](../reference/cli-commands/update-identities.md). For example, prepare this file:
 
 ```yaml
@@ -83,6 +94,9 @@ and run the following command:
 Replaced 3 identities.
 ```
 
+
+## List identities
+
 You can list identities with the [`identities`](../reference/cli-commands/identities.md) command:
 
 ```{terminal}
@@ -107,6 +121,9 @@ identities:
             user-id: 1042
 ```
 
+
+## View a single identity
+
 To show a single identity in YAML format, use the `identity` command:
 
 ```{terminal}
@@ -116,7 +133,8 @@ local:
     user-id: 2000
 ```
 
-## Seeding initial identities
+
+## Seed initial identities
 
 To seed a Pebble server with one or more initial identities, use [`pebble run`](../reference/cli-commands/run.md) with the `--identities` option. This has the effect of running `update-identities --replace` with the content of the given identities file before running the server:
 

docs/reference/identities.md

@@ -1,6 +1,6 @@
 # Identities
 
-Pebble has the concept of named "identities", which lets administrators allow additional users to access the [API](../explanation/api-and-clients.md).
+Pebble has the concept of named "identities", which lets administrators manage users' access to the [API](../explanation/api-and-clients.md).
 
 Each identity has a name, an access level, and an authentication type with type-specific configuration. Admins use the identities CLI commands to [manage identities](../how-to/manage-identities.md), and the identity configuration is persisted to disk.
 
@@ -26,7 +26,7 @@ identities:
             user-id: <uid>
 ```
 
-For example, a local identity named "bob" with UID 42 would be defined as follows:
+For example, a local identity named "bob" with UID 42 that is granted `admin` access would be defined as follows:
 
 ```yaml
 identities: