Expand vMCP two-boundary auth diagram and descriptions (#681)

* Expand vMCP two-boundary auth diagram and descriptions

- Show token validation, Cedar policy authz, and backend proxy as
  distinct steps inside the vMCP box
- Clarify Boundary 1 covers issuer, audience, expiry, and signature
  (JWT) or introspection (opaque tokens)
- Note that audience must be explicitly configured for vMCP, unlike
  plain MCPServer deployments
- Replace incomplete outgoing strategy list with a link to the
  Outgoing authentication section

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* Address two Copilot review comments on PR #681

- Line 22: add signature/introspection to diagram token validation node
  to match prose description of JWT and opaque token paths
- Line 48: replace inaccurate blanket audience requirement with accurate
  distinction: required for oidcConfigRef, optional for inline OIDC

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* fixup! Expand vMCP two-boundary auth diagram and descriptions

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: jhrozek

docs/toolhive/guides-vmcp/authentication.mdx

@@ -18,8 +18,11 @@ flowchart LR
     end
 
     subgraph vMCP["Virtual MCP Server (vMCP)"]
-        Auth[Token validation]
-        Backend[Backend auth]
+        direction TB
+        Auth["Token validation<br>(issuer, audience, expiry,<br>signature/introspection)"]
+        Authz["Authorization<br>(Cedar policies)"]
+        Proxy[Backend proxy]
+        Auth --> Authz --> Proxy
     end
 
     subgraph Boundary2[" "]
@@ -30,19 +33,26 @@ flowchart LR
     end
 
     Client -->|"vMCP-scoped<br>token"| Auth
-    Auth --> Backend
-    Backend -->|"Backend-scoped<br>token"| GitHub
-    Backend -->|"Backend-scoped<br>token"| Jira
+    Proxy -->|"Backend-scoped<br>token"| GitHub
+    Proxy -->|"Backend-scoped<br>token"| Jira
 ```
 
 **Boundary 1 (Incoming):** Clients authenticate to vMCP using OAuth 2.1
 authorization as defined in the
 [MCP specification](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization).
-This is your organization's identity layer.
-
-**Boundary 2 (Outgoing):** vMCP obtains appropriate credentials for each
-backend. Each backend API receives a token or credential scoped to its
-requirements.
+The vMCP validates the token by checking issuer, audience, expiry, and signature
+for JWTs, or by using token introspection for opaque tokens. It then evaluates
+Cedar policies before forwarding the request. This all happens inside the single
+`vmcp` process, unlike a plain MCPServer deployment where a separate ToolHive
+proxy handles this step. When using shared OIDC configuration via
+`oidcConfigRef`, the audience value must be explicitly set. For inline OIDC
+configuration, it is optional but recommended. See
+[OIDC authentication](#oidc-authentication) below.
+
+**Boundary 2 (Outgoing):** vMCP obtains credentials for each backend API using
+the configured outgoing auth strategy. See
+[Outgoing authentication](#outgoing-authentication) for the available
+strategies.
 
 ## Incoming authentication