Update docs/toolhive/guides-registry/authorization.mdx

rdimitrov · Copilot · web-flow · commit 568c7a9fb015 · 2026-04-09T15:19:28.000-04:00
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/docs/toolhive/guides-registry/authorization.mdx b/docs/toolhive/guides-registry/authorization.mdx
@@ -207,11 +207,13 @@ Resources with no claims are accessible to all authenticated callers.
 When you publish an MCP server version or skill to a managed source, you can
 attach claims to the entry. The server enforces two rules:
 
-1. **Publish claims must be a subset of the publisher's JWT claims.** You cannot
-   publish entries with broader visibility than your own identity allows. For
-   example, if your JWT has `{org: "acme", team: "platform"}`, you can publish
-   entries with `{org: "acme", team: "platform"}` but not with `{org: "acme"}`
-   alone (which would be visible to all teams).
+1. **Publish claims must not be broader than the publisher's JWT claims.** In
+   other words, the published entry's claims must be at least as specific as the
+   publisher's claims, so the entry does not become visible to a wider audience
+   than the publisher belongs to. For example, if your JWT has
+   `{org: "acme", team: "platform"}`, you can publish entries with
+   `{org: "acme", team: "platform"}` but not with `{org: "acme"}` alone
+   (which would be visible to all teams in the org).
 
 2. **Subsequent versions must have the same claims as the first.** Once you
    publish the first version of an entry with specific claims, all future
