Address feedback

tgrunnagle · tgrunnagle · commit 02c0ff1bb1f6 · 2026-03-31T10:51:01.000-07:00
- missing `type: external_auth_config_ref` for backend auth config
- note about requiring `jwksAllowPrivateIP` for cluster-internal addresses only
- note about redis replicas and failover
diff --git a/docs/toolhive/guides-k8s/redis-session-storage.mdx b/docs/toolhive/guides-k8s/redis-session-storage.mdx
@@ -163,7 +163,9 @@ spec:
 ```
 
 The next section deploys a three-node Sentinel cluster that monitors the Redis
-master and handles automatic failover:
+master. With a single master and no replicas, Sentinel provides master discovery
+for ToolHive but cannot perform automatic failover. To enable failover, add
+Redis replicas to the StatefulSet and configure replication.
 
 ```yaml title="redis-sentinel.yaml — Sentinel cluster (append to same file)"
 # --- Sentinel configuration
diff --git a/docs/toolhive/guides-vmcp/authentication.mdx b/docs/toolhive/guides-vmcp/authentication.mdx
@@ -189,6 +189,7 @@ spec:
     source: inline
     backends:
       backend-github:
+        type: external_auth_config_ref
         externalAuthConfigRef:
           name: inject-github
 ```
@@ -257,9 +258,11 @@ spec:
     source: inline
     backends:
       backend-github:
+        type: external_auth_config_ref
         externalAuthConfigRef:
           name: inject-github
       backend-okta-app:
+        type: external_auth_config_ref
         externalAuthConfigRef:
           name: exchange-okta
 ```
@@ -424,9 +427,10 @@ at `authed_user.access_token`). Add a `tokenResponseMapping` block to the
 ### Incoming auth with the embedded auth server
 
 When using the embedded auth server, configure `incomingAuth` to validate the
-JWTs it issues. The `issuer` must match `authServerConfig.issuer`, and
-`jwksAllowPrivateIP` must be `true` because the vMCP validates tokens from its
-own in-process auth server via loopback:
+JWTs it issues. The `issuer` must match `authServerConfig.issuer`. If the issuer
+URL resolves to a private or cluster-internal IP address (typical in
+Kubernetes), set `jwksAllowPrivateIP` to `true` so the OIDC middleware can fetch
+the JWKS from the embedded auth server's discovery endpoint:
 
 ```yaml title="VirtualMCPServer resource"
 spec:
@@ -576,6 +580,7 @@ spec:
     source: inline
     backends:
       backend-github:
+        type: external_auth_config_ref
         externalAuthConfigRef:
           name: inject-github
 ```
