docs: improve docs for new config option

docs/docs/endpoints/authorize.mdx

@@ -1,5 +1,5 @@
 ---
-sidebar_position: 2
+sidebar_position: 1
 title: /authorize
 ---
 
@@ -8,11 +8,11 @@ title: /authorize
 The `/authorize` endpoint is a front channel endpoint that initiates the authorization process and issues an authorization code. This code can then be exchanged at the `/token` endpoint for a usable access token.
 
 :::info
+- This endpoint is only necessary if you are implementing the Authorization Code Grant.
 
 - The authorization endpoint should only support the GET method for the initial request. The user agent should be redirected to the authorization page.
 
 - The URL `/authorize` can be customized, some other common urls are: `/oauth/authorize`, `/v1/authorize`, etc.
-
 :::
 
 ## Purpose

docs/docs/endpoints/index.mdx

@@ -6,10 +6,6 @@ sidebar_position: 2
 
 This server implements the following OAuth 2.0 endpoints, each supporting specific functionalities as defined in various RFC specifications:
 
-:::note
-All endpoints should be accessed over HTTPS to ensure secure communication.
-:::
-
 ## Core Endpoints
 
 - [The `/token` Endpoint](./token.mdx)
@@ -19,3 +15,7 @@ All endpoints should be accessed over HTTPS to ensure secure communication.
 
 - [The `/token/introspect` Endpoint](./introspect.mdx)
 - [The `/token/revoke` Endpoint](./revoke.mdx)
+
+:::note
+All endpoints should be accessed over HTTPS to ensure secure communication.
+:::

docs/docs/endpoints/introspect.mdx

@@ -7,8 +7,9 @@ title: /token/introspect
 
 The `/token/introspect` endpoint is a back channel endpoint that revokes an existing token. The introspect endpoint requires the `TokenRepository#getByAccessToken` method to introspect `token_type_hint=access_token`.
 
-:::tip
-This endpoint requires `TokenRepository#getByAccessToken` to be defined
+:::info
+- Implementing this endpoint is optional
+- This endpoint requires `TokenRepository#getByAccessToken` to be defined if using `token_type_hint=access_token`
 :::
 
 ```ts
@@ -23,6 +24,19 @@ app.post("/token/introspect", async (req: Express.Request, res: Express.Response
 });
 ```
 
+### Configure
+
+Client credentials authentication is enabled by default. To disable, set `authenticateIntrospect` to `false`.
+
+```ts
+const authoriztionServer = new AuthorizationServer(
+  ...,
+  {
+    authenticateIntrospect: false,
+  }
+);
+```
+
 ### Request
 
 A complete token introspection request will include the following parameters:
@@ -61,6 +75,22 @@ You can authenticate by passing the `client_id` and `client_secret` as a query s
       ```
     </TabItem>
 
+    <TabItem value="authenticateIntrospect" label="authenticateIntrospect = false">
+      ```ts
+      new AuthorizationServer(..., {
+        authenticateIntrospect: false,
+      })
+      ```
+
+      ```http request []
+      POST /token/introspect HTTP/1.1
+      Host: example.com
+      Content-Type: application/x-www-form-urlencoded
+
+      token=xxxxxxxxxx
+      &token_type_hint=refresh_token
+      ```
+    </TabItem>
   </Tabs>
 </details>
 

docs/docs/endpoints/revoke.mdx

@@ -7,8 +7,9 @@ title: /token/revoke
 
 The `/token/revoke` endpoint is a back channel endpoint that revokes an existing token.
 
-:::tip
-This endpoint requires `TokenRepository#getByAccessToken` to be defined
+:::info
+- Implementing this endpoint is optional
+- This endpoint requires `TokenRepository#getByAccessToken` to be defined if using `token_type_hint=access_token`
 :::
 
 ```ts
@@ -23,6 +24,19 @@ app.post("/token/revoke", async (req: Express.Request, res: Express.Response) =>
 });
 ```
 
+### Configure
+
+Client credentials authentication is enabled by default. To disable, set `authenticateRevoke` to `false`.
+
+```ts
+const authoriztionServer = new AuthorizationServer(
+  ...,
+  {
+    authenticateRevoke: false,
+  }
+);
+```
+
 ### Request
 
 A complete token revocation request will include the following parameters:
@@ -61,6 +75,23 @@ You can authenticate by passing the `client_id` and `client_secret` as a query s
       ```
     </TabItem>
 
+    <TabItem value="authenticateRevoke" label="authenticateRevoke = false">
+      ```ts
+      new AuthorizationServer(..., {
+        authenticateRevoke: false,
+      })
+      ```
+
+      ```http request []
+      POST /token/revoke HTTP/1.1
+      Host: example.com
+      Content-Type: application/x-www-form-urlencoded
+
+      token=xxxxxxxxxx
+      &token_type_hint=refresh_token
+      ```
+    </TabItem>
+
   </Tabs>
 </details>
 

docs/docs/endpoints/token.mdx

@@ -1,5 +1,5 @@
 ---
-sidebar_position: 1
+sidebar_position: 2
 title: /token
 ---
 
@@ -8,11 +8,9 @@ title: /token
 The `/token` endpoint is a back channel endpoint that issues a usable access token. It supports multiple grant types as defined in OAuth 2.0 specifications.
 
 :::info
-
 - All requests to the `/token` endpoint should use the HTTP POST method and include appropriate authentication (e.g., client credentials in the Authorization header or in the request body).
 
 - The url `/token` can be anything, some other common urls are: `/oauth/token`, `/v1/token`, etc.
-
 :::
 
 ```ts

docs/docs/grants/authorization_code.mdx

@@ -105,7 +105,7 @@ The authorization server will respond with the following response
 - **token_type** will always be `Bearer`
 - **expires_in** is the time the token will live in seconds
 - **access_token** is a JWT signed token and is used to authenticate into the resource server
-- **refresh_token** is a JWT signed token and can be used in with the [refresh grant](#refresh-token-grant)
+- **refresh_token** is a JWT signed token and can be used in with the [refresh grant](./refresh_token.mdx)
 - **scope** is a space delimited list of scopes the token has access to
 
 <details>

docs/docs/grants/password.mdx

@@ -70,7 +70,7 @@ The authorization server will respond with the following response
 - **token_type** will always be `Bearer`
 - **expires_in** is the time the token will live in seconds
 - **access_token** is a JWT signed token and is used to authenticate into the resource server
-- **refresh_token** is a JWT signed token and can be used in with the [refresh grant](#refresh-token-grant)
+- **refresh_token** is a JWT signed token and can be used in with the [refresh grant](./refresh_token.mdx)
 - **scope** is a space delimited list of scopes the token has access to
 
 <details>

docs/docs/grants/refresh_token.mdx

@@ -63,7 +63,7 @@ The authorization server will respond with the following response
 - **token_type** will always be `Bearer`
 - **expires_in** is the time the token will live in seconds
 - **access_token** is a JWT signed token and is used to authenticate into the resource server
-- **refresh_token** is a JWT signed token and can be used in with the [refresh grant](#refresh-token-grant)
+- **refresh_token** is a JWT signed token and can be used in with the refresh grant (this one)
 - **scope** is a space delimited list of scopes the token has access to
 
 <details>

docs/docs/upgrade_guide.md

@@ -48,7 +48,7 @@ In v3, `enableGrantType` has been updated for the **"authorization_code"** and *
 
 #### Authorization Code Grant
 
-`AuthorizationCodeGrant` now requires a [AuthorizationCodeRepository](./getting_started/repositories.mdx#authorization-code-repository) and a [UserRepository](./getting_started/repositories.mdx#user-repository).
+`AuthorizationCodeGrant` now requires a [AuthorizationCodeRepository](./getting_started/repositories.mdx#auth-code-repository) and a [UserRepository](./getting_started/repositories.mdx#user-repository).
 
 **Before (v2.x):**