stacklok · danbarr · Aug 11, 2025 · Aug 8, 2025
diff --git a/docs/toolhive/reference/cli/thv_build.md b/docs/toolhive/reference/cli/thv_build.md
@@ -44,8 +44,10 @@ thv build [flags] PROTOCOL
 ### Options
 
 ```
-  -h, --help         help for build
-  -t, --tag string   Name and optionally a tag in the 'name:tag' format for the built image
+      --dry-run         Generate Dockerfile without building (stdout output unless -o is set)
+  -h, --help            help for build
+  -o, --output string   Write the Dockerfile to the specified file instead of building
+  -t, --tag string      Name and optionally a tag in the 'name:tag' format for the built image
 ```
 
 ### Options inherited from parent commands

diff --git a/docs/toolhive/reference/cli/thv_proxy.md b/docs/toolhive/reference/cli/thv_proxy.md
@@ -48,13 +48,22 @@ Basic transparent proxy:
 
 	thv proxy my-server --target-uri http://localhost:8080
 
-Proxy with OAuth authentication to remote server:
+Proxy with OIDC authentication to remote server:
 
 	thv proxy my-server --target-uri https://api.example.com \
 	  --remote-auth --remote-auth-issuer https://auth.example.com \
 	  --remote-auth-client-id my-client-id \
 	  --remote-auth-client-secret-file /path/to/secret
 
+Proxy with non-OIDC OAuth authentication to remote server:
+
+	thv proxy my-server --target-uri https://api.example.com \
+	  --remote-auth \
+	  --remote-auth-authorize-url https://auth.example.com/oauth/authorize \
+	  --remote-auth-token-url https://auth.example.com/oauth/token \
+	  --remote-auth-client-id my-client-id \
+	  --remote-auth-client-secret-file /path/to/secret
+
 Proxy with OIDC protection for incoming requests:
 
 	thv proxy my-server --target-uri http://localhost:8080 \
@@ -77,19 +86,23 @@ thv proxy [flags] SERVER_NAME
       --host string                             Host for the HTTP proxy to listen on (IP or hostname) (default "127.0.0.1")
       --oidc-audience string                    Expected audience for the token
       --oidc-client-id string                   OIDC client ID
+      --oidc-client-secret string               OIDC client secret (optional, for introspection)
+      --oidc-introspection-url string           URL for token introspection endpoint
       --oidc-issuer string                      OIDC issuer URL (e.g., https://accounts.google.com)
       --oidc-jwks-url string                    URL to fetch the JWKS from
-      --oidc-skip-opaque-token-validation       Allow skipping validation of opaque tokens
       --port int                                Port for the HTTP proxy to listen on (host port)
       --remote-auth                             Enable OAuth authentication to remote MCP server
+      --remote-auth-authorize-url string        OAuth authorization endpoint URL (alternative to --remote-auth-issuer for non-OIDC OAuth)
       --remote-auth-callback-port int           Port for OAuth callback server during remote authentication (default: 8666) (default 8666)
       --remote-auth-client-id string            OAuth client ID for remote server authentication
       --remote-auth-client-secret string        OAuth client secret for remote server authentication (optional for PKCE)
       --remote-auth-client-secret-file string   Path to file containing OAuth client secret (alternative to --remote-auth-client-secret)
       --remote-auth-issuer string               OAuth/OIDC issuer URL for remote server authentication (e.g., https://accounts.google.com)
-      --remote-auth-scopes strings              OAuth scopes to request for remote server authentication (default [openid,profile,email])
+      --remote-auth-scopes strings              OAuth scopes to request for remote server authentication (defaults: OIDC uses 'openid,profile,email')
       --remote-auth-skip-browser                Skip opening browser for remote server OAuth flow
       --remote-auth-timeout duration            Timeout for OAuth authentication flow (e.g., 30s, 1m, 2m30s) (default 30s)
+      --remote-auth-token-url string            OAuth token endpoint URL (alternative to --remote-auth-issuer for non-OIDC OAuth)
+      --resource-url string                     Explicit resource URL for OAuth discovery endpoint (RFC 9728)
       --target-uri string                       URI for the target MCP server (e.g., http://localhost:8080) (required)
 ```
 

diff --git a/docs/toolhive/reference/cli/thv_restart.md b/docs/toolhive/reference/cli/thv_restart.md
@@ -24,8 +24,9 @@ thv restart [workload-name] [flags]
 ### Options
 
 ```
-  -a, --all    Restart all MCP servers
-  -h, --help   help for restart
+  -a, --all          Restart all MCP servers
+  -f, --foreground   Run the restarted workload in foreground mode
+  -h, --help         help for restart
 ```
 
 ### Options inherited from parent commands

diff --git a/docs/toolhive/reference/cli/thv_run.md b/docs/toolhive/reference/cli/thv_run.md
@@ -78,9 +78,10 @@ thv run [flags] SERVER_OR_IMAGE_OR_PROTOCOL [-- ARGS...]
       --name string                           Name of the MCP server (auto-generated from image if not provided)
       --oidc-audience string                  Expected audience for the token
       --oidc-client-id string                 OIDC client ID
+      --oidc-client-secret string             OIDC client secret (optional, for introspection)
+      --oidc-introspection-url string         URL for token introspection endpoint
       --oidc-issuer string                    OIDC issuer URL (e.g., https://accounts.google.com)
       --oidc-jwks-url string                  URL to fetch the JWKS from
-      --oidc-skip-opaque-token-validation     Allow skipping validation of opaque tokens
       --otel-enable-prometheus-metrics-path   Enable Prometheus-style /metrics endpoint on the main transport port
       --otel-endpoint string                  OpenTelemetry OTLP endpoint URL (e.g., https://api.honeycomb.io)
       --otel-env-vars stringArray             Environment variable names to include in OpenTelemetry spans (comma-separated: ENV1,ENV2)
@@ -92,6 +93,7 @@ thv run [flags] SERVER_OR_IMAGE_OR_PROTOCOL [-- ARGS...]
       --print-resolved-overlays               Debug: show resolved container paths for tmpfs overlays
       --proxy-mode string                     Proxy mode for stdio transport (sse or streamable-http) (default "sse")
       --proxy-port int                        Port for the HTTP proxy to listen on (host port)
+      --resource-url string                   Explicit resource URL for OAuth discovery endpoint (RFC 9728)
       --secret stringArray                    Specify a secret to be fetched from the secrets manager and set as an environment variable (format: NAME,target=TARGET)
       --target-host string                    Host to forward traffic to (only applicable to SSE or Streamable HTTP transport) (default "127.0.0.1")
       --target-port int                       Port for the container to expose (only applicable to SSE or Streamable HTTP transport)

diff --git a/docs/toolhive/reference/cli/thv_serve.md b/docs/toolhive/reference/cli/thv_serve.md
@@ -24,16 +24,17 @@ thv serve [flags]
 ### Options
 
 ```
-  -h, --help                                help for serve
-      --host string                         Host address to bind the server to (default "127.0.0.1")
-      --oidc-audience string                Expected audience for the token
-      --oidc-client-id string               OIDC client ID
-      --oidc-issuer string                  OIDC issuer URL (e.g., https://accounts.google.com)
-      --oidc-jwks-url string                URL to fetch the JWKS from
-      --oidc-skip-opaque-token-validation   Allow skipping validation of opaque tokens
-      --openapi                             Enable OpenAPI documentation endpoints (/api/openapi.json and /api/doc)
-      --port int                            Port to bind the server to (default 8080)
-      --socket string                       UNIX socket path to bind the server to (overrides host and port if provided)
+  -h, --help                            help for serve
+      --host string                     Host address to bind the server to (default "127.0.0.1")
+      --oidc-audience string            Expected audience for the token
+      --oidc-client-id string           OIDC client ID
+      --oidc-client-secret string       OIDC client secret (optional, for introspection)
+      --oidc-introspection-url string   URL for token introspection endpoint
+      --oidc-issuer string              OIDC issuer URL (e.g., https://accounts.google.com)
+      --oidc-jwks-url string            URL to fetch the JWKS from
+      --openapi                         Enable OpenAPI documentation endpoints (/api/openapi.json and /api/doc)
+      --port int                        Port to bind the server to (default 8080)
+      --socket string                   UNIX socket path to bind the server to (overrides host and port if provided)
 ```
 
 ### Options inherited from parent commands