Fix inaccurate wording in backend auth docs

jhrozek · jhrozek · commit 43ef10d97bed · 2026-02-18T10:54:08.000Z
Address PR review feedback:
- Add static credentials to frontmatter description
- Clarify credential delivery covers headers and env vars
- Scope DCR descriptions to ToolHive registration
diff --git a/docs/toolhive/concepts/backend-auth.mdx b/docs/toolhive/concepts/backend-auth.mdx
@@ -2,8 +2,8 @@
 title: Backend authentication
 description:
   Understanding how MCP servers authenticate to external services using
-  ToolHive's backend authentication patterns, including token exchange,
-  federated identity, and the embedded authorization server.
+  ToolHive's backend authentication patterns, including static credentials,
+  token exchange, and the embedded authorization server.
 ---
 
 This document explains how ToolHive helps MCP servers authenticate to
@@ -52,8 +52,9 @@ ToolHive sits between clients and MCP servers, and can acquire backend
 credentials on behalf of the MCP server. Depending on the pattern, it might
 exchange the client's token, run an OAuth flow against an external provider, or
 inject static credentials. In each case, the MCP server receives ready-to-use
-credentials—typically in the `Authorization: Bearer` header—without needing to
-implement custom authentication logic or manage secrets directly.
+credentials—via an `Authorization: Bearer` header, another header, or
+environment variables, depending on the pattern—without needing to implement
+custom authentication logic or manage secrets directly.
 
 ## Backend authentication patterns
 
@@ -191,8 +192,8 @@ mechanism, see [Token storage and forwarding](#token-storage-and-forwarding).
 
 The embedded authorization server runs in-process within the ToolHive proxy—no
 separate infrastructure is needed. It supports Dynamic Client Registration
-(DCR), so MCP clients can register automatically without manual configuration at
-the external provider.
+(DCR), so MCP clients can register automatically with ToolHive—no manual client
+configuration in ToolHive is required.
 
 :::note
 
@@ -213,8 +214,9 @@ deployments using the ToolHive Operator.
 - **Configurable token lifespans:** Access tokens, refresh tokens, and
   authorization codes have configurable durations with sensible defaults.
 - **Dynamic Client Registration (DCR):** Supports OAuth 2.0 Dynamic Client
-  Registration (RFC 7591), allowing MCP clients to register automatically
-  without manual configuration at the identity provider.
+  Registration (RFC 7591), allowing MCP clients to register automatically with
+  ToolHive's authorization server—no manual client registration in ToolHive is
+  required.
 - **Direct upstream redirect:** The embedded authorization server redirects
   clients directly to the upstream provider for authentication (for example,
   GitHub or Atlassian).
