Add scope clarification to auth framework documentation

jhrozek · jhrozek · commit e6a08229bb3f · 2025-10-29T13:40:32.000Z
Add an info admonition at the beginning of the auth framework concept
document to explicitly clarify that this documentation covers
client-to-MCP-server authentication, not MCP-server-to-backend
authentication.

This distinction helps readers understand:
- What is covered: How clients authenticate to the MCP server
- What is not covered: How MCP servers authenticate to external APIs
  (e.g., GitHub MCP server authenticating to GitHub API)

The note indicates that MCP-server-to-backend authentication will be
covered in separate future documentation.
diff --git a/docs/toolhive/concepts/auth-framework.mdx b/docs/toolhive/concepts/auth-framework.mdx
@@ -9,6 +9,19 @@ authorization framework, which secures MCP servers by verifying client identity
 and controlling access to resources. You'll learn how these systems work
 together, why they're designed this way, and the benefits of this approach.
 
+:::info[Scope of this documentation]
+
+This documentation covers **client-to-MCP-server authentication**—how clients
+authenticate to the MCP server itself. This is about securing access to the MCP
+server's tools and resources.
+
+This is different from **MCP-server-to-backend authentication**, which involves
+how the MCP server authenticates to external services or APIs it calls (for
+example, a GitHub MCP server authenticating to the GitHub API). That topic will
+be covered in separate documentation.
+
+:::
+
 ## Understanding authentication vs. authorization
 
 When you secure MCP servers, you need to understand the strong separation
