Document Bearer Token auth for remote MCP servers

docs/toolhive/_partials/_remote-mcp-auth-examples.mdx

@@ -16,6 +16,22 @@ that supports this feature:
 1. Your browser opens for authentication. After you authorize access, the remote
    MCP server appears in your server list with a "Running" status.
 
+#### Remote MCP server with Bearer Token authentication
+
+Bearer Token authentication is the simplest option for MCP servers that accept a
+bearer token in the `Authorization` header. Brave Search's remote MCP server is
+one example:
+
+1. Configuration settings:
+   - **Server name**: `brave-search`
+   - **Server URL**: `https://mcp.bravesearch.com/sse`
+   - **Transport**: SSE
+   - **Authorization method**: Bearer Token
+   - **Bearer token**: Your Brave Search API key
+1. When you install the server, ToolHive stores the token securely and injects
+   it as an `Authorization: Bearer <token>` header on every request.
+1. The remote MCP server appears in your server list with a "Running" status.
+
 #### Remote MCP server with OAuth2 authentication
 
 GitHub's remote MCP server requires manual OAuth configuration. You'll need to

docs/toolhive/guides-ui/run-mcp-servers.mdx

@@ -145,9 +145,20 @@ remaining required information and adjust any optional settings as needed:
    - Obtains and manages client credentials
    - Handles token lifecycle automatically
 
-   For MCP servers that require manual configuration, ToolHive supports OAuth2
-   and OIDC authentication. Obtain the necessary information from the MCP
-   server's documentation or administrator.
+   For MCP servers that accept a bearer token in the `Authorization` header,
+   select **Bearer Token**. ToolHive stores the token securely and sends it as
+   an `Authorization: Bearer <token>` header on every request. For servers that
+   expect a different header (such as `X-API-Key`), use **Custom headers**
+   instead.
+
+   **Bearer Token authentication options:**
+   - **Bearer token**: The token value. Enter a value to create a new secret or
+     select an existing secret from the provider. Secrets are stored securely
+     and are not exposed in plaintext in configuration files. See
+     [Secrets management](./secrets-management.mdx) for details. [Required]
+
+   For MCP servers that require OAuth2 or OIDC authentication, obtain the
+   necessary information from the MCP server's documentation or administrator.
 
    **OAuth2 authentication options:**
    - **Authorize URL**: The URL where users are redirected to authenticate and
@@ -158,9 +169,9 @@ remaining required information and adjust any optional settings as needed:
      provider. [Required]
    - **Client secret**: The secret key that proves your application's identity.
      Enter a value to create a new secret or select an existing secret from the
-     provider. Secrets are stored securely and can be used by the MCP server
-     without exposing them in plaintext. See
-     [Secrets management](./secrets-management.mdx) for details. [Optional]
+     provider. Secrets are stored securely and are not exposed in plaintext in
+     configuration files. See [Secrets management](./secrets-management.mdx) for
+     details. [Optional]
    - **Scopes**: List of permissions your application is requesting. [Optional]
    - **PKCE**: Enable Proof Key for Code Exchange (RFC 7636) for enhanced
      security without requiring a client secret. [Optional]
@@ -171,9 +182,9 @@ remaining required information and adjust any optional settings as needed:
      provider. [Required]
    - **Client secret**: The secret key that proves your application's identity.
      Enter a value to create a new secret or select an existing secret from the
-     provider. Secrets are stored securely and can be used by the MCP server
-     without exposing them in plaintext. See
-     [Secrets management](./secrets-management.mdx) for details. [Optional]
+     provider. Secrets are stored securely and are not exposed in plaintext in
+     configuration files. See [Secrets management](./secrets-management.mdx) for
+     details. [Optional]
    - **PKCE**: Enable Proof Key for Code Exchange (RFC 7636) for enhanced
      security without requiring a client secret. [Optional]
 
@@ -405,9 +416,20 @@ On the configuration form, enter:
    - Obtains and manages client credentials
    - Handles token lifecycle automatically
 
-   For MCP servers that require manual configuration, ToolHive supports OAuth2
-   and OIDC authentication. Obtain the necessary information from the MCP
-   server's documentation or administrator.
+   For MCP servers that accept a bearer token in the `Authorization` header,
+   select **Bearer Token**. ToolHive stores the token securely and sends it as
+   an `Authorization: Bearer <token>` header on every request. For servers that
+   expect a different header (such as `X-API-Key`), use **Custom headers**
+   instead.
+
+   **Bearer Token authentication options:**
+   - **Bearer token**: The token value. Enter a value to create a new secret or
+     select an existing secret from the provider. Secrets are stored securely
+     and are not exposed in plaintext in configuration files. See
+     [Secrets management](./secrets-management.mdx) for details. [Required]
+
+   For MCP servers that require OAuth2 or OIDC authentication, obtain the
+   necessary information from the MCP server's documentation or administrator.
 
    **OAuth2 authentication options:**
    - **Authorize URL**: The URL where users are redirected to authenticate and
@@ -418,20 +440,22 @@ On the configuration form, enter:
      provider. [Required]
    - **Client secret**: The secret key that proves your application's identity.
      Enter a value to create a new secret or select an existing secret from the
-     provider. Secrets are stored securely and can be used by the MCP server
-     without exposing them in plaintext. See
-     [Secrets management](./secrets-management.mdx) for details. [Optional]
+     provider. Secrets are stored securely and are not exposed in plaintext in
+     configuration files. See [Secrets management](./secrets-management.mdx) for
+     details. [Optional]
    - **Scopes**: List of permissions your application is requesting. [Optional]
+   - **PKCE**: Enable Proof Key for Code Exchange (RFC 7636) for enhanced
+     security without requiring a client secret. [Optional]
 
    **OIDC authentication options:**
    - **Issuer URL**: The base URL of the OIDC provider. [Required]
    - **Client ID**: Your application's identifier registered with the OIDC
      provider. [Required]
    - **Client secret**: The secret key that proves your application's identity.
      Enter a value to create a new secret or select an existing secret from the
-     provider. Secrets are stored securely and can be used by the MCP server
-     without exposing them in plaintext. See
-     [Secrets management](./secrets-management.mdx) for details. [Optional]
+     provider. Secrets are stored securely and are not exposed in plaintext in
+     configuration files. See [Secrets management](./secrets-management.mdx) for
+     details. [Optional]
    - **PKCE**: Enable Proof Key for Code Exchange (RFC 7636) for enhanced
      security without requiring a client secret. [Optional]