add proxy into the guide

Author: yrobla

docs/toolhive/guides-cli/auth.mdx

@@ -143,6 +143,26 @@ to perform an action, ToolHive will evaluate the request against the policies.
 If the request is permitted, the action will proceed; otherwise, it will be
 denied with a 403 Forbidden response.
 
+## Standalone proxy authentication
+
+In addition to authentication for MCP servers run with `thv run`, ToolHive
+provides a standalone `thv proxy` command that can create transparent HTTP
+proxies with advanced authentication capabilities.
+
+The proxy command is useful when you need:
+
+- **Outgoing authentication**: Authenticate to remote MCP servers using
+  OAuth/OIDC without managing tokens in your client
+- **Incoming authentication**: Protect a proxy endpoint with OIDC validation,
+  requiring clients to provide valid JWT tokens
+- **Bidirectional authentication**: Secure both incoming requests to the proxy
+  and outgoing requests to remote servers
+- **Dynamic client registration**: Automatically register OAuth clients using
+  RFC 7591, eliminating the need for pre-configuration
+
+For complete details on using the proxy with authentication, see
+[Proxy with authentication](./proxy-authentication.mdx).
+
 ## Troubleshooting
 
 <AuthTroubleshooting />

docs/toolhive/guides-cli/proxy-authentication.mdx

@@ -6,8 +6,8 @@ description:
 
 This guide explains how to use the `thv proxy` command to create a standalone
 transparent HTTP proxy with authentication support for MCP servers. The proxy
-provides flexible authentication options for both incoming requests to the
-proxy and outgoing requests to remote MCP servers.
+provides flexible authentication options for both incoming requests to the proxy
+and outgoing requests to remote MCP servers.
 
 ## Overview
 
@@ -105,8 +105,8 @@ thv proxy my-server \
 
 ### Auto-detect authentication
 
-The proxy can automatically detect if a remote server requires authentication
-by examining WWW-Authenticate headers:
+The proxy can automatically detect if a remote server requires authentication by
+examining WWW-Authenticate headers:
 
 ```bash
 thv proxy my-server \
@@ -119,8 +119,8 @@ appropriate OAuth flow.
 
 ### Dynamic client registration
 
-When no client credentials are provided, the proxy can automatically register
-an OAuth client using RFC 7591 dynamic client registration:
+When no client credentials are provided, the proxy can automatically register an
+OAuth client using RFC 7591 dynamic client registration:
 
 ```bash
 thv proxy my-server \
@@ -289,8 +289,7 @@ thv proxy my-server \
 
 ### Client secret sources
 
-OAuth client secrets can be provided via three methods (in order of
-precedence):
+OAuth client secrets can be provided via three methods (in order of precedence):
 
 1. `--remote-auth-client-secret` flag (not recommended for production)
 2. `--remote-auth-client-secret-file` flag (recommended)