Address two Copilot review comments on PR #681

- Line 22: add signature/introspection to diagram token validation node
  to match prose description of JWT and opaque token paths
- Line 48: replace inaccurate blanket audience requirement with accurate
  distinction: required for oidcConfigRef, optional for inline OIDC

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: jhrozek

docs/toolhive/guides-vmcp/authentication.mdx

@@ -19,7 +19,7 @@ flowchart LR
 
     subgraph vMCP["Virtual MCP Server (vMCP)"]
         direction TB
-        Auth["Token validation<br>(issuer, audience, expiry)"]
+        Auth["Token validation<br>(issuer, audience, expiry,<br>signature/introspection)"]
         Authz["Authorization<br>(Cedar policies)"]
         Proxy[Backend proxy]
         Auth --> Authz --> Proxy
@@ -44,8 +44,10 @@ The vMCP validates the token — checking issuer, audience, expiry, and signatur
 for JWTs, or using token introspection for opaque tokens — and then evaluates
 Cedar policies before forwarding the request. This all happens inside the single
 `vmcp` process, unlike a plain MCPServer deployment where a separate ToolHive
-proxy handles this step. The audience value must be explicitly set in
-`incomingAuth` (see [OIDC authentication](#oidc-authentication) below).
+proxy handles this step. When using shared OIDC configuration via
+`oidcConfigRef`, the audience value must be explicitly set. For inline OIDC
+configuration, it is optional but recommended. See
+[OIDC authentication](#oidc-authentication) below.
 
 **Boundary 2 (Outgoing):** vMCP obtains credentials for each backend API using
 the configured outgoing auth strategy. See