diff --git a/doc/proposals/rlp-target-gateway-resource.md b/doc/proposals/rlp-target-gateway-resource.md
index 57771dce5..55a16f063 100644
--- a/doc/proposals/rlp-target-gateway-resource.md
+++ b/doc/proposals/rlp-target-gateway-resource.md
@@ -38,30 +38,49 @@ return an OVER_LIMIT response if any of them are over limit.
 
 ```yaml
 ---
-apiVersion: kuadrant.io/v1beta1
+apiVersion: kuadrant.io/v1beta3
 kind: RateLimitPolicy
 metadata:
   name: my-rate-limit-policy
 spec:
+  # Reference to an existing networking resource to attach the policy to. REQUIRED.
+  # It can be a Gateway API HTTPRoute or Gateway resource.
+  # It can only refer to objects in the same namespace as the RateLimitPolicy.
   targetRef:
     group: gateway.networking.k8s.io
     kind: HTTPRoute / Gateway
     name: myroute / mygateway
-  rateLimits:
-    - rules:
-        - paths: ["/admin/*"]
-          methods: ["GET"]
-          hosts: ["example.com"]
-      configurations:
-        - actions:
-          - generic_key:
-              descriptor_key: admin
-              descriptor_value: "yes"
-      limits:
-        - conditions: ["admin == yes"]
-          max_value: 500
-          seconds: 30
-          variables: []
+
+  # The limits definitions to apply to the network traffic routed through the targeted resource.
+  # Equivalent to if otherwise declared within `defaults`.
+  limits:
+    "my_limit":
+      # The rate limits associated with this limit definition. REQUIRED.
+      # E.g., to specify a 50rps rate limit, add `{ limit: 50, duration: 1, unit: secod }`
+      rates: […]
+
+      # Counter qualifiers.
+      # Each dynamic value in the data plane starts a separate counter, combined with each rate limit.
+      # E.g., to define a separate rate limit for each user name detected by the auth layer, add `metadata.filter_metadata.envoy\.filters\.http\.ext_authz.username`.
+      # Check out Kuadrant RFC 0002 (https://github.com/Kuadrant/architecture/blob/main/rfcs/0002-well-known-attributes.md) to learn more about the Well-known Attributes that can be used in this field.
+      counters: […]
+
+      # Additional dynamic conditions to trigger the limit.
+      # Use it for filtering attributes not supported by HTTPRouteRule or with RateLimitPolicies that target a Gateway.
+      # Check out Kuadrant RFC 0002 (https://github.com/Kuadrant/architecture/blob/main/rfcs/0002-well-known-attributes.md) to learn more about the Well-known Attributes that can be used in this field.
+      when: […]
+
+    # Explicit defaults. Used in policies that target a Gateway object to express default rules to be enforced on
+    # routes that lack a more specific policy attached to.
+    # Mutually exclusive with `overrides` and with declaring `limits` at the top-level of the spec.
+    defaults:
+      limits: {…}
+
+    # Overrides. Used in policies that target a Gateway object to be enforced on all routes linked to the gateway,
+    # thus also overriding any more specific policy occasionally attached to any of those routes.
+    # Mutually exclusive with `defaults` and with declaring `limits` at the top-level of the spec.
+    overrides:
+      limits: {…}
 ```
 
 `.spec.rateLimits` holds a list of rate limit configurations represented by the object `RateLimit`.
diff --git a/doc/rate-limiting.md b/doc/rate-limiting.md
index 40dc06afc..81f12db23 100644
--- a/doc/rate-limiting.md
+++ b/doc/rate-limiting.md
@@ -45,7 +45,7 @@ The limit definitions (`limits`) can be declared at the top-level level of the s
 #### High-level example and field definition
 
 ```yaml
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: RateLimitPolicy
 metadata:
   name: my-rate-limit-policy
@@ -99,7 +99,7 @@ When a RateLimitPolicy targets a HTTPRoute, the policy is enforced to all traffi
 Target a HTTPRoute by setting the `spec.targetRef` field of the RateLimitPolicy as follows:
 
 ```yaml
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: RateLimitPolicy
 metadata:
   name: <RateLimitPolicy name>
@@ -134,7 +134,7 @@ Inversely, a gateway policy that specify _overrides_ declares a set of rules to
 Target a Gateway HTTPRoute by setting the `spec.targetRef` field of the RateLimitPolicy as follows:
 
 ```yaml
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: RateLimitPolicy
 metadata:
   name: <RateLimitPolicy name>
diff --git a/doc/user-guides/authenticated-rl-for-app-developers.md b/doc/user-guides/authenticated-rl-for-app-developers.md
index 4ef9a9d95..4ac871d99 100644
--- a/doc/user-guides/authenticated-rl-for-app-developers.md
+++ b/doc/user-guides/authenticated-rl-for-app-developers.md
@@ -200,7 +200,7 @@ Create a Kuadrant `RateLimitPolicy` to configure rate limiting:
 
 ```sh
 kubectl apply -f - <<EOF
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: RateLimitPolicy
 metadata:
   name: toystore
diff --git a/doc/user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md b/doc/user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md
index 7646cfed1..c593b9f77 100644
--- a/doc/user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md
+++ b/doc/user-guides/authenticated-rl-with-jwt-and-k8s-authnz.md
@@ -321,7 +321,7 @@ Create a Kuadrant `RateLimitPolicy` to configure rate limiting:
 
 ```sh
 kubectl apply -f - <<EOF
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: RateLimitPolicy
 metadata:
   name: toystore
diff --git a/doc/user-guides/gateway-rl-for-cluster-operators.md b/doc/user-guides/gateway-rl-for-cluster-operators.md
index e112fa10d..77eed66e4 100644
--- a/doc/user-guides/gateway-rl-for-cluster-operators.md
+++ b/doc/user-guides/gateway-rl-for-cluster-operators.md
@@ -100,7 +100,7 @@ Create a Kuadrant `RateLimitPolicy` to configure rate limiting:
 
 ```sh
 kubectl apply -n gateway-system -f - <<EOF
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: RateLimitPolicy
 metadata:
   name: gw-rlp
diff --git a/doc/user-guides/secure-protect-connect-single-multi-cluster.md b/doc/user-guides/secure-protect-connect-single-multi-cluster.md
index 8cc7b24c3..097c90132 100644
--- a/doc/user-guides/secure-protect-connect-single-multi-cluster.md
+++ b/doc/user-guides/secure-protect-connect-single-multi-cluster.md
@@ -235,7 +235,7 @@ Set the default `RateLimitPolicy` for your Gateway as follows:
 
 ```bash
 kubectl apply -f  - <<EOF
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: RateLimitPolicy
 metadata:
   name: ${gatewayName}-rlp
diff --git a/doc/user-guides/secure-protect-connect.md b/doc/user-guides/secure-protect-connect.md
index a96b0e280..4e3bdfcc0 100644
--- a/doc/user-guides/secure-protect-connect.md
+++ b/doc/user-guides/secure-protect-connect.md
@@ -192,7 +192,7 @@ We have a secure communication in place. However, there is nothing limiting user
 
 ```sh
 kubectl --context $KUBECTL_CONTEXT apply -f - <<EOF
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: RateLimitPolicy
 metadata:
   name: infra-ratelimit
@@ -395,7 +395,7 @@ The gateway limits are a good set of limits for the general case, but as the dev
 
 ```sh
 kubectl --context $KUBECTL_CONTEXT apply -f - <<EOF
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: RateLimitPolicy
 metadata:
   name: toystore
diff --git a/doc/user-guides/simple-rl-for-app-developers.md b/doc/user-guides/simple-rl-for-app-developers.md
index aaa7e862a..44018d0ca 100644
--- a/doc/user-guides/simple-rl-for-app-developers.md
+++ b/doc/user-guides/simple-rl-for-app-developers.md
@@ -121,7 +121,7 @@ Create a Kuadrant `RateLimitPolicy` to configure rate limiting:
 
 ```sh
 kubectl apply -f - <<EOF
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: RateLimitPolicy
 metadata:
   name: toystore
diff --git a/examples/toystore/ratelimitpolicy_gateway.yaml b/examples/toystore/ratelimitpolicy_gateway.yaml
index b7cabca1d..5635c163a 100644
--- a/examples/toystore/ratelimitpolicy_gateway.yaml
+++ b/examples/toystore/ratelimitpolicy_gateway.yaml
@@ -1,4 +1,4 @@
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: RateLimitPolicy
 metadata:
   name: toystore-gw
diff --git a/examples/toystore/ratelimitpolicy_httproute.yaml b/examples/toystore/ratelimitpolicy_httproute.yaml
index c11ac81f6..eeb6c732b 100644
--- a/examples/toystore/ratelimitpolicy_httproute.yaml
+++ b/examples/toystore/ratelimitpolicy_httproute.yaml
@@ -1,4 +1,4 @@
-apiVersion: kuadrant.io/v1beta2
+apiVersion: kuadrant.io/v1beta3
 kind: RateLimitPolicy
 metadata:
   name: toystore-httproute
@@ -13,32 +13,49 @@ spec:
       - limit: 6
         duration: 30
         unit: second
-
     "get-toy":
+      when:
+      - selector: request.method
+        operator: eq
+        value: "GET"
+      - selector: request.path
+        operator: eq
+        value: "/toy"
       rates:
       - limit: 5
         duration: 30
         unit: second
-
-    "admin-post-or-delete-toy-per-user":
+    "admin-post-toy-per-user":
       rates:
       - limit: 2
         duration: 30
         unit: second
       counters:
       - metadata.filter_metadata.envoy\.filters\.http\.ext_authz.username
-      routeSelectors:
-      - matches:
-        - path:
-            type: Exact
-            value: "/admin/toy"
-          method: POST
-      - matches:
-        - path:
-            type: Exact
-            value: "/admin/toy"
-          method: DELETE
       when:
+      - selector: request.method
+        operator: eq
+        value: "GET"
+      - selector: request.path
+        operator: eq
+        value: "/admin/toy"
+      - selector: metadata.filter_metadata.envoy\.filters\.http\.ext_authz.admin
+        operator: eq
+        value: "true"
+    "admin-delete-per-user":
+      rates:
+      - limit: 2
+        duration: 30
+        unit: second
+      counters:
+      - metadata.filter_metadata.envoy\.filters\.http\.ext_authz.username
+      when:
+      - selector: request.method
+        operator: eq
+        value: "DELETE"
+      - selector: request.path
+        operator: eq
+        value: "/admin/toy"
       - selector: metadata.filter_metadata.envoy\.filters\.http\.ext_authz.admin
         operator: eq
         value: "true"