Fix BYOK limitations wording: static credentials, not key-based only

BYOK accepts both API keys and bearer tokens, so 'key-based only' was
inaccurate. Reword to clarify BYOK uses static credentials you supply
but doesn't natively perform identity provider flows.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: krukow

doc/auth/byok.md

@@ -167,14 +167,14 @@ Some providers require bearer token authentication instead of API keys:
 
 ### Identity Limitations
 
-BYOK authentication is **key-based only** — no native Entra ID, OIDC, or managed identity support. However, you can use `DefaultAzureCredential` to obtain a short-lived bearer token and pass it via `:bearer-token`. See the [Azure Managed Identity workaround](./azure-managed-identity.md) for details.
+BYOK authentication uses **static credentials that you supply** (API keys or bearer tokens); it does not natively perform Entra ID, OIDC, or managed identity flows. However, you can use `DefaultAzureCredential` to obtain a short-lived bearer token and pass it via `:bearer-token`. See the [Azure Managed Identity workaround](./azure-managed-identity.md) for details.
 
-The following are NOT natively supported:
+The following identity flows are NOT natively supported (you must handle them yourself and pass the resulting credential to BYOK):
 
 - ❌ Microsoft Entra ID (Azure AD) managed identities or service principals
 - ❌ Third-party identity providers (OIDC, SAML, etc.)
 
-You must use an API key or bearer token that you manage yourself.
+You must provide and manage the API key or bearer token that BYOK uses.
 
 ### Feature Limitations