Document automatic upstream token refresh behavior (#607)

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: jhrozek

docs/toolhive/concepts/backend-auth.mdx

@@ -269,6 +269,17 @@ This mechanism allows MCP servers to call external APIs with the user's actual
 credentials from the upstream provider, while the client only needs to manage a
 single ToolHive-issued JWT.
 
+#### Automatic token refresh
+
+Upstream access tokens have their own expiration, independent of the ToolHive
+JWT lifespan. When the stored upstream access token has expired, ToolHive
+automatically refreshes it using the stored refresh token before forwarding the
+request — your MCP session continues without re-authentication.
+
+If the refresh token is also expired or has been revoked by the upstream
+provider, ToolHive returns a `401` response, prompting you to re-authenticate
+through the OAuth flow.
+
 :::warning[Session storage limitations]
 
 By default, session storage is in-memory only. Upstream tokens are lost when