diff --git a/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx b/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
new file mode 100644
index 0000000000..799e62a4bd
--- /dev/null
+++ b/content/vault/global/partials/important-changes/breaking-changes/client-count-timestamp.mdx
@@ -0,0 +1,29 @@
+### Renamed timestamp fields for client count activity export ((#client-count-export))
+
+| Change       | Affected version | Vault edition
+| ------------ | ---------------- | -------------
+| Breaking     | 1.21.0+          | All
+
+Vault counts a client the first time that client makes an authenticated API
+during the billing period.
+
+Previously, the Activity Export endpoint response included a `timestamp`
+field that reflected the creation time and date for the client token, which
+could precede the start of the billing period, rather than the time and date
+of the first authenticated API call.
+
+To clarify the data returned, the endpoint now returns two timestamp parameters:
+
+- **`client_first_usage_time`** - (new) indicates when the client first made an
+  authenticated API call during the billing period.
+- **`token_creation_time`** - (replaces `timestamp`) indicates the creation
+  timestamp of the token.
+
+
+#### Recommendation
+
+Review your use of the `timestamp` field and:
+
+1. Consider if the context makes `client_first_usage_time` a more appropriate
+   timestamp.
+1. Update any remaining references to `timestamp` to use `token_creation_time`.
diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/deprecation.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/deprecation.mdx
index 09ceebd8ad..fd3bbf46e8 100644
--- a/content/vault/v1.21.x (rc)/content/docs/updates/deprecation.mdx	
+++ b/content/vault/v1.21.x (rc)/content/docs/updates/deprecation.mdx	
@@ -21,10 +21,7 @@ or raise a ticket with your support team.
 
 <a id="announcements" />
 
-## Recent announcements
-
-<Tabs>
-<Tab heading="DEPRECATED">
+## Deprecations ((#deprecations))
 
 <EnterpriseAlert product="vault">
   The Vault Support Team can provide <b>limited</b> help with a deprecated feature.
@@ -34,26 +31,27 @@ or raise a ticket with your support team.
   more information on the product support timeline.
 </EnterpriseAlert>
 
-@include 'deprecation/ruby-client-library.mdx'
 
 @include 'deprecation/snowflake-password-auth.mdx'
 
-</Tab>
-<Tab heading="PENDING REMOVAL">
+
+## Pending removal
 
 @include 'deprecation/vault-agent-api-proxy.mdx'
 
+@include 'deprecation/duplicate-hcl-attributes.mdx'
+
+
+## Removed 
+
+@include 'deprecation/ruby-client-library.mdx'
+
 @include 'deprecation/aws-field-change.mdx'
 
 @include 'deprecation/centrify-auth-method.mdx'
 
-@include 'deprecation/duplicate-hcl-attributes.mdx'
-
 @include 'deprecation/list-allowed-parameters.mdx'
 
-</Tab>
-<Tab heading="REMOVED">
-
 @include 'deprecation/active-directory-secrets-engine.mdx'
 
 @include 'deprecation/duplicative-docker-images.mdx'
@@ -62,8 +60,6 @@ or raise a ticket with your support team.
 
 @include 'deprecation/internal-counters-tokens-api.mdx'
 
-</Tab>
-</Tabs>
 
 <a id="phases" />
 
diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx
index 6a4446c403..4e2880a440 100644
--- a/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx	
+++ b/content/vault/v1.21.x (rc)/content/docs/updates/important-changes.mdx	
@@ -4,12 +4,6 @@ page_title: Important changes
 description: >-
   Deprecations, important or breaking changes, and remediation recommendations
   for upgrading Vault.
-
-valid_change_types: >-
-  - Change in support
-  - New behavior (new defaults, new requirements, etc.)
-  - Breaking change --> workaround/recommendation recommended
-  - Known issue --> workaround/recommendation required
 ---
 
 # Important changes
@@ -21,6 +15,8 @@ before upgrading Vault.
 
 ## Breaking changes
 
+@include '../../../global/partials/important-changes/breaking-changes/client-count-timestamp.mdx'
+
 ### Audiences required for Kubernetes authentication roles ((##k8-audience-required))
 
 | Change       | Affected version | Vault edition
@@ -51,6 +47,8 @@ more information.
 
 @include '../../../global/partials/important-changes/breaking-changes/allowed-parameters-list.mdx'
 
+---
+
 ## New behavior
 
 ### Rotation manager schedule strings in UTC ((#rotation-manager-utc))
diff --git a/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx
new file mode 100644
index 0000000000..3d0d3b91a1
--- /dev/null
+++ b/content/vault/v1.21.x (rc)/content/docs/updates/release-notes.mdx	
@@ -0,0 +1,285 @@
+---
+layout: docs
+page_title: Release notes
+description: >-
+  TBD
+---
+
+# Vault release notes
+
+Release | RC date    | GA date
+------- | ---------- | ----------
+1.21.x  | 2025-10-09 | 2025-10-17
+
+@include 'release-notes/intro.mdx'
+
+@include 'tips/change-tracker.mdx'
+
+
+## Executive summary
+
+Vault Enterprise 1.21 minimizes operational burden, improves pricing visibility,
+and provides increased pricing support.
+
+
+### Highlights 
+
+- Static role support for Azure enabled workflows that require managed,
+  long-lived Azure credentials.
+- Smoother integration with bring-your-own DNS, AWS, Azure Privatelink, and
+  custom domains.
+- Expanded Terraform Vault Provider support for provisioning and resource
+  management with Terraform.
+- Emerging security policy management with IBM Z RACF passphrase support.
+- Enhanced logging and auditing that increases traceability and compliance.
+- Machine identity and authentication support for SPIFFE frameworks.
+
+
+## New features
+
+<table>
+<thead>
+  <tr>
+    <th style={{ width: '10%' }}>Feature</th>
+    <th style={{ width: '45%' }}>Summary</th>
+    <th style={{ width: '45%' }}>Benefit</th>
+  </tr>
+</thead>
+<tbody>
+  <tr>
+    <td>SPIFFE authentication</td>
+    <td>
+      Use the SPIFFE authentication plugin to leverage SPIFFE frameworks based
+      SVIDS. With the SPIFFEE plugin, clients can authenticate to Vault and
+      request SVIDs to authenticate in SPIFFE environment.
+    </td>
+    <td>
+      Increases flexibility to authenticate workloads with SPIFFE authentication
+      methods and enables new workloads that require SPIFFE.
+    </td>
+  </tr>
+  <tr>
+    <td>MFA TOTP self-enrollment</td>
+    <td>
+      Configure multi-factor authenication in Vault to let clients self-enroll
+      with QR codes during login when they do not have a TOTP configured.
+    </td>
+    <td>
+      Applies MFA TOTP enforcements to users before they exist instead of
+      requiring operators to manually generate and send users an enrollment QR
+      code.
+    </td>
+  </tr>
+  <tr>
+    <td>KV v2 version attribution</td>
+    <td>
+      Query the metadata endpoint with read and list requests for for KV v2
+      secrets to get the human-readable name of the user who created the
+      targeted secret version.
+    </td>
+    <td>
+      Simplifies information gathering by replacing manual audit log reviews
+      with a straightforward metadata query.
+    </td>
+  </tr>
+  <tr>
+    <td>Cumulative client counts endpoint</td>
+    <td>
+      Easily query the number of Vault clients consumed by a namespace and all
+      its descendants.
+    </td>
+    <td>
+      Provides easier access to client utilization data in environments with
+      nested namespace structures.
+    </td>
+  </tr>
+  <tr>
+    <td>Root rotation for Snowflake key-pairs</td>
+    <td>
+      Perform on-demand and scheduled rotations for key-pair root credentials in
+      the Snowflake plugin.
+    </td>
+    <td>
+      Fully automates the rotation of key-pair root credentials for Snowflake
+    </td>
+  </tr>
+  <tr>
+    <td>Static roles in the Azure Secret Engine</td>
+    <td>
+      Rotate Azure static roles tied to long-lived credentials on demand with
+      initialization or imported credentials.      
+    </td>
+    <td>
+      Simplify lifecycle management for long-lived Azure credentials for key
+      workflows instead of juggling dynamic secrets that Vault revokes when the
+      workflow client disconnects.
+    </td>
+  </tr>
+</tbody>
+</table>
+
+## Existing feature improvements
+
+<table>
+<thead>
+  <tr>
+    <th style={{ width: '10%' }}>Feature</th>
+    <th style={{ width: '45%' }}>Summary</th>
+    <th style={{ width: '45%' }}>Improvement</th>
+  </tr>
+</thead>
+<tbody>
+  <tr>
+    <td>Client count dashboard</td>
+    <td>
+      View a list of individual clients in each client count aggregate from the
+      new **Client list** tab in the client count dashboard.
+    </td>
+    <td>
+      Simplifies data access for preliminary analysis.
+    </td>
+  </tr>
+  <tr>
+    <td>Secret recovery</td>
+    <td>
+      Use the Vault GUI or API to automatically load snapshots and recover
+      individual database static roles or SSH config CA/managed keys.
+    </td>
+    <td>
+      Lets you delegate recovery of individual secrets and provide a granular,
+      flexible recovery mechanism for technical and non-technical users.
+    </td>
+  </tr>
+  <tr>
+    <td>Attestation evidence for credential rotation</td>
+    <td>
+      Use Vault server logs to review the details for successful and failed
+      automated root rotations and static role rotation for the database and
+      LDAP secrets engines.
+    </td>
+    <td>
+      Improved transparancy and confidence that root credential rotation
+      happened properly for less complicated compliance checks.
+    </td>
+  </tr>
+  <tr>
+    <td>RACF passphrase support in the LDAP plugin</td>
+    <td>
+      Use RACF passphrases (up to 100 characters) with the LDAP secrets engine
+      plugin.
+    </td>
+    <td>
+      Supports longer, more secure RACF passphrases and helps you keep up with
+      changing security policy requirements..
+    </td>
+  </tr>
+  <tr>
+    <td>Eventing in the LDAP Secrets Engine</td>
+    <td>
+      The LDAP secrets engine now
+      [emits events](/vault/docs/concepts/events#event-types) including rotation
+      success and failure events.
+    </td>
+    <td>
+      Expands functionality of the LDAP secrets engine plugin with new events.
+    </td>
+  </tr>
+  <tr>
+    <td>Dedicated rotation URL for LDAP authentication</td>
+    <td>
+      The LDAP authentication plugin supports root account rotation with a
+      dedicated URL.
+    </td>
+    <td>
+      Supports root account rotation even when you configure the plugin with the
+      Global Catalog URL of an AD Forest.
+    </td>
+  </tr>
+  <tr>
+    <td>Counter of PKI certificates issued</td>
+    <td>
+      Track the monthly total number of PKI certificates issued cluster-wide by a
+      given Vault cluster.
+    </td>
+    <td>
+      Improved visibility into PKI usage.
+    </td>
+  </tr>
+  <tr>
+    <td>License utilization and product usage data updates</td>
+    <td>
+      Vault collects and reports additional data points to HashiCorp for
+      improved
+      [license utilization reporting](../license/utilization/auto-reporting) and
+      [anonymized product usage reporting](../license/product-usage-reporting).
+    </td>
+    <td>
+      Improved product insights and roadmap prioritization.
+    </td>
+  </tr>
+</tbody>
+</table>
+
+
+
+## Bug fixes 
+
+None.
+
+
+
+## Vault companion updates
+
+<table>
+<thead>
+  <tr>
+    <th style={{ width: '10%' }}>Companion</th>
+    <th style={{ width: '45%' }}>Summary</th>
+    <th style={{ width: '45%' }}>Benefit</th>
+  </tr>
+</thead>
+<tbody>
+  <tr>
+    <td>Vault Secrets Operator</td>
+    <td>
+      Map Vault secrets directly into application pods with shared volumes
+      as [protected secrets using CSI drivers](/vault/docs/deploy/kubernetes/vso/csi).
+    </td>
+    <td>
+      Deliver secrets from Vault to Kubernetes workloads in deployments that
+      restrict the use of native K8s secrets.
+    </td>
+  </tr>
+  <tr>
+    <td>Vault Secrets Store CSI provider</td>
+    <td>
+      Red Hat certified the Vault Secrets Store CSI provider for use on
+      OpenShift.
+    </td>
+    <td>
+      Use Vault Secret Store even in environments that require Red Hat Open
+      Shift certification for all system components.
+    </td>
+  </tr>
+  <tr>
+    <td>MS SQL external key management provider</td>
+    <td>
+      Grant database administrators full control over the versions of `transit`
+      keys used to wrap and unwrap data encryption keys for SQL Server.
+    </td>
+    <td>
+      Reduce the number of keys and simplify the database restore process
+      from encrypted backups.
+    </td>
+  </tr>
+</tbody>
+</table>
+
+
+## Feature deprecations and EOL
+
+Deprecated in 1.21.x | Retired in 1.21.x
+-------------------- | ---------------
+None                 | [Snowflake DB password authentication](/vault/docs/updates/deprecation#snowflake-db-password-auth)
+
+@include 'release-notes/deprecation-note.mdx'
\ No newline at end of file
diff --git a/content/vault/v1.21.x (rc)/content/partials/release-notes/intro.mdx b/content/vault/v1.21.x (rc)/content/partials/release-notes/intro.mdx
index 54bd81c8ab..8d61b2e732 100644
--- a/content/vault/v1.21.x (rc)/content/partials/release-notes/intro.mdx	
+++ b/content/vault/v1.21.x (rc)/content/partials/release-notes/intro.mdx	
@@ -1,6 +1,7 @@
 Release notes provide an at-a-glance summary of key updates to new versions of
-Vault. For a comprehensive list of product updates, improvements, and bug fixes
-refer to the [changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md)
+Vault Enterprise. For a comprehensive list of product updates, improvements, and
+bug fixes refer to the
+[changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md)
 included with the Vault code on GitHub.
 
 We encourage you to
diff --git a/content/vault/v1.21.x (rc)/data/docs-nav-data.json b/content/vault/v1.21.x (rc)/data/docs-nav-data.json
index af5df94c8b..d0df1d786e 100644
--- a/content/vault/v1.21.x (rc)/data/docs-nav-data.json	
+++ b/content/vault/v1.21.x (rc)/data/docs-nav-data.json	
@@ -281,6 +281,10 @@
   {
     "title": "Recent updates",
     "routes": [
+      {
+        "title": "Release notes",
+        "path": "updates/release-notes"
+      },
       {
         "title": "Important changes",
         "path": "updates/important-changes"

Feature	Summary	Benefit
SPIFFE authentication	+ Use the SPIFFE authentication plugin to leverage SPIFFE frameworks based + SVIDS. With the SPIFFEE plugin, clients can authenticate to Vault and + request SVIDs to authenticate in SPIFFE environment. +	+ Increases flexibility to authenticate workloads with SPIFFE authentication + methods and enables new workloads that require SPIFFE. +
MFA TOTP self-enrollment	+ Configure multi-factor authenication in Vault to let clients self-enroll + with QR codes during login when they do not have a TOTP configured. +	+ Applies MFA TOTP enforcements to users before they exist instead of + requiring operators to manually generate and send users an enrollment QR + code. +
KV v2 version attribution	+ Query the metadata endpoint with read and list requests for for KV v2 + secrets to get the human-readable name of the user who created the + targeted secret version. +	+ Simplifies information gathering by replacing manual audit log reviews + with a straightforward metadata query. +
Cumulative client counts endpoint	+ Easily query the number of Vault clients consumed by a namespace and all + its descendants. +	+ Provides easier access to client utilization data in environments with + nested namespace structures. +
Root rotation for Snowflake key-pairs	+ Perform on-demand and scheduled rotations for key-pair root credentials in + the Snowflake plugin. +	+ Fully automates the rotation of key-pair root credentials for Snowflake +
Static roles in the Azure Secret Engine	+ Rotate Azure static roles tied to long-lived credentials on demand with + initialization or imported credentials. +	+ Simplify lifecycle management for long-lived Azure credentials for key + workflows instead of juggling dynamic secrets that Vault revokes when the + workflow client disconnects. +
Feature	Summary	Improvement
Client count dashboard	+ View a list of individual clients in each client count aggregate from the + new Client list tab in the client count dashboard. +	+ Simplifies data access for preliminary analysis. +
Secret recovery	+ Use the Vault GUI or API to automatically load snapshots and recover + individual database static roles or SSH config CA/managed keys. +	+ Lets you delegate recovery of individual secrets and provide a granular, + flexible recovery mechanism for technical and non-technical users. +
Attestation evidence for credential rotation	+ Use Vault server logs to review the details for successful and failed + automated root rotations and static role rotation for the database and + LDAP secrets engines. +	+ Improved transparancy and confidence that root credential rotation + happened properly for less complicated compliance checks. +
RACF passphrase support in the LDAP plugin	+ Use RACF passphrases (up to 100 characters) with the LDAP secrets engine + plugin. +	+ Supports longer, more secure RACF passphrases and helps you keep up with + changing security policy requirements.. +
Eventing in the LDAP Secrets Engine	+ The LDAP secrets engine now + [emits events](/vault/docs/concepts/events#event-types) including rotation + success and failure events. +	+ Expands functionality of the LDAP secrets engine plugin with new events. +
Dedicated rotation URL for LDAP authentication	+ The LDAP authentication plugin supports root account rotation with a + dedicated URL. +	+ Supports root account rotation even when you configure the plugin with the + Global Catalog URL of an AD Forest. +
Counter of PKI certificates issued	+ Track the monthly total number of PKI certificates issued cluster-wide by a + given Vault cluster. +	+ Improved visibility into PKI usage. +
License utilization and product usage data updates	+ Vault collects and reports additional data points to HashiCorp for + improved + [license utilization reporting](../license/utilization/auto-reporting) and + [anonymized product usage reporting](../license/product-usage-reporting). +	+ Improved product insights and roadmap prioritization. +
Companion	Summary	Benefit
Vault Secrets Operator	+ Map Vault secrets directly into application pods with shared volumes + as [protected secrets using CSI drivers](/vault/docs/deploy/kubernetes/vso/csi). +	+ Deliver secrets from Vault to Kubernetes workloads in deployments that + restrict the use of native K8s secrets. +
Vault Secrets Store CSI provider	+ Red Hat certified the Vault Secrets Store CSI provider for use on + OpenShift. +	+ Use Vault Secret Store even in environments that require Red Hat Open + Shift certification for all system components. +
MS SQL external key management provider	+ Grant database administrators full control over the versions of `transit` + keys used to wrap and unwrap data encryption keys for SQL Server. +	+ Reduce the number of keys and simplify the database restore process + from encrypted backups. +