feat: restructure mcp auth docs into dedicated section and add per-user headers auth type

[Pratham-Mishra04]

Summary

Restructures the MCP authentication documentation into a dedicated mcp/auth/ section with individual pages per auth type, renames gateway-url to gateway, and adds two new auth type pages (headers and per-user-headers) that were previously undocumented.

Changes

• Renamed mcp/gateway-url.mdx → mcp/gateway.mdx and updated the title to "Bifrost as an MCP Gateway"; added redirects from old URLs
• Moved mcp/oauth.mdx and mcp/per-user-oauth.mdx into mcp/auth/oauth.mdx and mcp/auth/per-user-oauth.mdx with redirects from old paths
• Added new auth pages: mcp/auth/overview.mdx, mcp/auth/none.mdx, mcp/auth/headers.mdx, and mcp/auth/per-user-headers.mdx
• Added an "Authentication" group in the sidebar nav under the MCP section, replacing the flat oauth and per-user-oauth entries
• Updated mcp/connecting-to-servers.mdx to remove inline auth configuration examples and point to the new auth section instead
• Updated mcp/sessions.mdx to cover both OAuth token rows and per-user header credential rows, added a reconciliation table for VK/MCP access changes, and expanded troubleshooting
• Updated mcp/gateway.mdx to document per-user headers alongside per-user OAuth in the gateway auth section, and added a new "Disable auto tool injection" section with UI/API/config.json tabs
• Updated all cross-references across overview.mdx, cli-agents/, and mcp/code-mode.mdx to point to the new paths

Type of change

• Bug fix
• Feature
• Refactor
• Documentation
• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (React)
• Docs

How to test

Verify all internal doc links resolve correctly, particularly:

• /mcp/auth/overview, /mcp/auth/none, /mcp/auth/headers, /mcp/auth/oauth, /mcp/auth/per-user-oauth, /mcp/auth/per-user-headers
• /mcp/gateway (and that /mcp/gateway-url and /features/mcp/gateway-url redirect correctly)
• /mcp/oauth and /mcp/per-user-oauth redirect to their new paths

Breaking changes

• Yes
• No

The pages /mcp/gateway-url, /mcp/oauth, and /mcp/per-user-oauth have moved. Redirects are in place in docs.json, but any external links pointing to the old URLs will follow the redirect rather than land directly.

Related issues

Security considerations

No security implications. Documentation only.

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[coderabbitai]

Warning

Review limit reached

@Pratham-Mishra04, we couldn't start this review because you've used your available PR reviews for now.

Your plan currently allows 4 reviews/hour. Refill in 14 minutes and 12 seconds.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more review capacity refills, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than trial, open-source, and free plans. In all cases, review capacity refills continuously over time.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 357c9d85-8ca9-43d4-9eca-48268295392d

📥 Commits

Reviewing files that changed from the base of the PR and between 2c16bfc and 751b28a.

📒 Files selected for processing (18)

• docs/cli-agents/claude-desktop.mdx
• docs/cli-agents/overview.mdx
• docs/cli-agents/roo-code.mdx
• docs/docs.json
• docs/mcp/auth/headers.mdx
• docs/mcp/auth/none.mdx
• docs/mcp/auth/oauth.mdx
• docs/mcp/auth/overview.mdx
• docs/mcp/auth/per-user-headers.mdx
• docs/mcp/auth/per-user-oauth.mdx
• docs/mcp/code-mode.mdx
• docs/mcp/connecting-to-servers.mdx
• docs/mcp/gateway.mdx
• docs/mcp/oauth.mdx
• docs/mcp/overview.mdx
• docs/mcp/per-user-oauth.mdx
• docs/mcp/sessions.mdx
• docs/overview.mdx

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 05-23-docs_mcp_docs_update

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[Pratham-Mishra04]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• feat: restructure mcp auth docs into dedicated section and add per-user headers auth type #3707 👈 (View in Graphite)
• docs: add mcp sessions page and refactor per-user oauth to lazy-auth model #3706 : 1 other dependent PR (#3708 )
• feat: reconcile per-user MCP credentials on VK and MCP client changes #3705
• feat: add mcp per-user headers auth flow ui wiring #3704
• feat: add mcp per-user headers auth type with credential storage and submission flow #3703
• refactor: centralize mcp connection lifecycle into AcquireClientConn and decouple credentials from plugin gate #3702
• refactor: introduce MCPCredentialStore abstraction in MCP credential resolution #3656
• dev

This stack of pull requests is managed by Graphite. Learn more about stacking.

[greptile-apps]

Confidence Score: 4/5

Documentation-only change; no code paths affected. All redirects are correctly mapped and internal cross-references resolve.

The restructure is thorough and internally consistent. One sentence in none.mdx says auth_type is immutable while implying it can be changed in place, which is misleading. The sessions reconciliation table has an ambiguous 'same as the inverse' row. Both are minor clarity issues with no functional impact.

docs/mcp/auth/none.mdx (contradictory immutability wording) and docs/mcp/sessions.mdx (ambiguous reconciliation table row).

Important Files Changed

Filename	Overview
docs/docs.json	Sidebar nav updated with new Authentication group; redirects added for gateway-url, oauth, and per-user-oauth old paths — all correctly mapped.
docs/mcp/auth/none.mdx	New none auth page; one sentence about auth_type immutability has contradictory wording that could confuse readers.
docs/mcp/auth/per-user-headers.mdx	New per-user-headers page documenting the lazy-auth flow, schema editing, lifecycle states, and end-user submission UI. Cross-references correct.
docs/mcp/sessions.mdx	Expanded to cover both OAuth and headers credential rows; new reconciliation table has one ambiguous row description ('Same as the inverse').
docs/mcp/gateway.mdx	Renamed from gateway-url.mdx; adds per-user-headers to the gateway auth section and a new Disable Auto Tool Injection section. Content is accurate.
docs/mcp/connecting-to-servers.mdx	Simplified connection-type table and examples to remove inline auth config; defers to the new auth section. Clean restructure with no missing content.

_{Reviews (1): Last reviewed commit: "docs: mcp docs update" | Re-trigger Greptile}

[greptile-apps]

"Same as the inverse" is ambiguous — it's unclear which preceding row is being inverted, and the phrase doesn't communicate that the effect is also orphaning. The row should state its effect directly, matching the style of every other row in the table.

Suggested change

	| Remove an MCP from a VK's `mcp_configs` | Same as the inverse — (VK, MCP) credentials orphan |
	| Remove an MCP from a VK's `mcp_configs` | (VK, MCP) credentials flip to `orphaned` (unless the VK also has implicit access via `AllowOnAllVirtualKeys`) |

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[greptile-apps]

Contradictory wording around immutability

The parenthetical says connection_type and auth_type are immutable after creation, then immediately says they "can be edited later if you delete and re-create." Readers will infer there is an in-place edit path. Consider rephrasing: "…immutable after creation — to change auth_type later you must delete and re-create the MCP client."