diff --git a/README.md b/README.md
index 5b5dcc7..c95a5fc 100644
--- a/README.md
+++ b/README.md
@@ -9,6 +9,9 @@
 * [Overview](#overview)
 * [CustomResourceDefinitions](#customresourcedefinitions)
 * [Getting started](#getting-started)
+* [Demos](#demos)
+  * [Updating the RateLimitPolicy `targetRef` attribute](/doc/demo-rlp-update-targetref.md)
+  * [Authenticated rate limiting](/doc/demo-rlp-authenticated.md)
 * [Contributing](#contributing)
 * [Licensing](#licensing)
 
@@ -240,7 +243,7 @@ To verify creation:
 ```
 kubectl get authorizationpolicy -A
 NAMESPACE         NAME                                          AGE
-kuadrant-system   on-kuadrant-gwapi-gateway-using-hr-toystore   3m36s
+kuadrant-system   on-kuadrant-gwapi-gateway-using-toystore-custom   81s
 ```
 
 9.- Verify authentication
@@ -257,6 +260,18 @@ Should return `200 OK`
 curl -v -H 'Host: api.toystore.com' -H 'Authorization: APIKEY ALICEKEYFORDEMO' -X POST http://localhost:9080/admin/toy
 ```
 
+## Demos
+
+### [Updating the RateLimitPolicy `targetRef` attribute](/doc/demo-rlp-update-targetref.md)
+
+This demo shows how the kuadrant's controller applies the rate limit policy to the new HTTPRoute
+object and cleans up rate limit configuration to the HTTPRoute object no longer referenced by the policy.
+
+### [Authenticated rate limiting](/doc/demo-rlp-authenticated.md)
+
+This demo shows how to configure rate limiting after authentication stage and rate limit configuration
+is per API key basis.
+
 ## Contributing
 
 The [Development guide](doc/development.md) describes how to build the kuadrant controller and
diff --git a/controllers/apim/httproute_controller.go b/controllers/apim/httproute_controller.go
index f7c37d9..e4b1a3b 100644
--- a/controllers/apim/httproute_controller.go
+++ b/controllers/apim/httproute_controller.go
@@ -55,7 +55,7 @@ func (r *HTTPRouteReconciler) Reconcile(eventCtx context.Context, req ctrl.Reque
 			gwName := string(parentRef.Name)
 
 			authPolicy := &istiosecurityv1beta1.AuthorizationPolicy{}
-			authPolicy.SetName(getAuthPolicyName(gwName, httproute.Name, "")) // TODO(rahul): need to do something about this controller
+			authPolicy.SetName(getAuthPolicyName(gwName, httproute.Name, "custom")) // TODO(rahul): need to do something about this controller
 			authPolicy.SetNamespace(gwNamespace)
 			common.TagObjectToDelete(authPolicy)
 			err := r.ReconcileResource(ctx, &istiosecurityv1beta1.AuthorizationPolicy{}, authPolicy, nil)
@@ -161,7 +161,7 @@ func (r *HTTPRouteReconciler) reconcileAuthPolicy(ctx context.Context, logger lo
 
 		authPolicy := istiosecurityv1beta1.AuthorizationPolicy{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      getAuthPolicyName(gwName, hr.Name, ""),
+				Name:      getAuthPolicyName(gwName, hr.Name, "custom"),
 				Namespace: gwNamespace,
 			},
 			Spec: authPolicySpec,
diff --git a/doc/demo-rlp-authenticated.md b/doc/demo-rlp-authenticated.md
new file mode 100644
index 0000000..f96c8e6
--- /dev/null
+++ b/doc/demo-rlp-authenticated.md
@@ -0,0 +1,150 @@
+## Authenticated rate limiting
+
+This demo shows how to configure rate limiting after authentication stage and rate limit configuration
+is per API key basis.
+
+### Steps
+
+Create local cluster and deploy kuadrant
+
+```
+make local-setup
+```
+
+Deploy toystore example deployment
+
+```
+kubectl apply -f examples/toystore/toystore.yaml
+```
+
+Create `toystore` HTTPRoute to configure routing to the toystore service
+
+```yaml
+kubectl apply -f - <<EOF
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+  name: toystore
+  labels:
+    app: toystore
+spec:
+  parentRefs:
+    - name: kuadrant-gwapi-gateway
+      namespace: kuadrant-system
+  hostnames: ["*.toystore.com"]
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: "/toy"
+          method: GET
+      backendRefs:
+        - name: toystore
+          port: 80
+
+EOF
+```
+
+Check `toystore` HTTPRoute works
+
+```
+curl -v -H 'Host: api.toystore.com' http://localhost:9080/toy
+```
+
+Annotate HTTPRoute with Kuadrant auth provider to create AuthorizationPolicy
+
+```
+kubectl annotate httproute/toystore kuadrant.io/auth-provider=kuadrant-authorization
+```
+
+Create Authorino's AuthConfig and API key secrets
+
+```yaml
+kubectl apply -f -<<EOF
+apiVersion: authorino.kuadrant.io/v1beta1
+kind: AuthConfig
+metadata:
+  name: simple-api-protection
+spec:
+  hosts:
+  - api.toystore.com
+  identity:
+  - name: friends
+    apiKey:
+      labelSelectors:
+        api: toystore
+    credentials:
+      in: authorization_header
+      keySelector: APIKEY
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: key-a
+  labels:
+    authorino.kuadrant.io/managed-by: authorino
+    api: toystore
+stringData:
+  api_key: KEY-A
+type: Opaque
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: key-b
+  labels:
+    authorino.kuadrant.io/managed-by: authorino
+    api: toystore
+stringData:
+  api_key: KEY-B
+type: Opaque
+EOF
+```
+Check `toystore` HTTPRoute requires API key
+
+```
+curl -v -H 'Authorization: APIKEY KEY-A' -H 'Host: api.toystore.com' http://localhost:9080/toy
+```
+
+Add rate limit policy to protect per API key basis
+
+
+```yaml
+kubectl apply -f -<<EOF
+---
+apiVersion: apim.kuadrant.io/v1alpha1
+kind: RateLimitPolicy
+metadata:
+  name: toystore
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: toystore
+  rateLimits:
+    - stage: POSTAUTH
+      actions:
+        - request_headers:
+            descriptor_key: key
+            header_name: "Authorization"
+            skip_if_absent: true
+  domain: toystore-app
+  limits:
+    - conditions: []
+      max_value: 2
+      namespace: toystore-app
+      seconds: 30
+      variables: ["key"]
+EOF
+```
+
+Check the authenticated rate limit policy works: 2 requests every 30 secs.
+
+```
+curl -v -H 'Authorization: APIKEY KEY-A' -H 'Host: api.toystore.com' http://localhost:9080/toy
+```
+
+```
+curl -v -H 'Authorization: APIKEY KEY-B' -H 'Host: api.toystore.com' http://localhost:9080/toy
+```
diff --git a/doc/demo-rlp-update-targetref.md b/doc/demo-rlp-update-targetref.md
new file mode 100644
index 0000000..1281ca1
--- /dev/null
+++ b/doc/demo-rlp-update-targetref.md
@@ -0,0 +1,155 @@
+## Updating the RateLimitPolicy `targetRef` attribute
+
+This demo shows how the kuadrant's controller applies the rate limit policy to the new HTTPRoute
+object and cleans up rate limit configuration to the HTTPRoute object no longer referenced by the policy.
+
+### Steps
+
+Create local cluster and deploy kuadrant
+
+```
+make local-setup
+```
+
+Deploy toystore example deployment
+
+```
+kubectl apply -f examples/toystore/toystore.yaml
+```
+
+Create `toystore` HTTPRoute to configure routing to the toystore service
+
+```yaml
+kubectl apply -f - <<EOF
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+  name: toystore
+  labels:
+    app: toystore
+spec:
+  parentRefs:
+    - name: kuadrant-gwapi-gateway
+      namespace: kuadrant-system
+  hostnames: ["*.toystore.com"]
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: "/toy"
+          method: GET
+      backendRefs:
+        - name: toystore
+          port: 80
+
+EOF
+```
+
+Check `toystore` HTTPRoute works
+
+```
+curl -v -H 'Host: api.toystore.com' http://localhost:9080/toy
+```
+
+![](https://i.imgur.com/ykv86hV.png)
+
+Rate limit `toystore` HTTPRoute
+
+```yaml
+kubectl apply -f - <<EOF
+---
+apiVersion: apim.kuadrant.io/v1alpha1
+kind: RateLimitPolicy
+metadata:
+  name: toystore
+spec:
+  targetRef:
+    group: gateway.networking.k8s.io
+    kind: HTTPRoute
+    name: toystore
+  rateLimits:
+    - stage: PREAUTH
+      actions:
+        - generic_key:
+            descriptor_key: vhaction
+            descriptor_value: "yes"
+  domain: toystore-app
+  limits:
+    - conditions: ["vhaction == yes"]
+      max_value: 2
+      namespace: toystore-app
+      seconds: 5
+      variables: []
+EOF
+```
+
+Check the rate limit policy works: 2 requests every 5 secs.
+
+```
+curl -v -H 'Host: api.toystore.com' http://localhost:9080/toy
+```
+
+Add a second HTTPRoute: `carstore`
+
+![](https://i.imgur.com/ruabBi3.png)
+
+```yaml
+kubectl apply -f - <<EOF
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+  name: carstore
+  labels:
+    app: carstore
+spec:
+  parentRefs:
+    - name: kuadrant-gwapi-gateway
+      namespace: kuadrant-system
+  hostnames: ["api.carstore.com"]
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: "/car"
+          method: GET
+      backendRefs:
+        - name: toystore
+          port: 80
+EOF
+```
+
+Check `carstore` HTTPRoute works
+
+```
+curl -v -H 'Host: api.carstore.com' http://localhost:9080/car
+```
+
+Update RLP `targetRef` to the new HTTPRoute `carstore`
+
+![](https://i.imgur.com/eu30Mry.png)
+
+```
+k edit ratelimitpolicy toystore
+```
+
+Check `toystore` HTTPRoute is no longer rate limited
+
+```
+curl -v -H 'Host: api.toystore.com' http://localhost:9080/toy
+```
+
+Check `carstore` HTTPRoute is rate limited
+
+```
+curl -v -H 'Host: api.carstore.com' http://localhost:9080/car
+```
+
+Remove the rate limit policy
+
+```
+k delete ratelimitpolicy toystore
+```
+
+Check `toystore` and `carstore` HTTPRoutes are no longer rate limited