add more examples for oauth2 + JWT

Author: AdiSai

fern/server-url/server-authentication.mdx

@@ -38,6 +38,8 @@ The simplest way to authenticate webhook requests is using a secret token. Vapi
 
 For more complex authentication scenarios, you can configure custom headers that Vapi will include with each webhook request.
 
+This could include short lived JWTs/API Keys passed along via the Authorization header, or any other header that your server checks for.
+
 #### Configuration
 
 ```json
@@ -82,3 +84,32 @@ For OAuth2-protected webhook endpoints, you can configure OAuth2 credentials tha
 3. Vapi includes the access token in the Authorization header for webhook requests
 4. Your server validates the access token before processing the webhook
 5. When the token expires, Vapi automatically requests a new one
+
+#### OAuth2 Token Response Format
+
+Your server should return a JSON response with the following format:
+
+```json
+{
+  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
+  "token_type": "Bearer",
+  "expires_in": 3600,
+  "refresh_token": "tGzv3JOkF0XG5Qx2TlKWIA",  // Optional
+  "scope": "read write"  // Optional, only if scope was requested
+}
+```
+
+Example error response:
+
+```json
+{
+  "error": "invalid_client",
+  "error_description": "Invalid client credentials"
+}
+```
+
+Common error types:
+- `invalid_client`: Invalid client credentials
+- `invalid_grant`: Invalid or expired refresh token
+- `invalid_scope`: Invalid scope requested
+- `unauthorized_client`: Client not authorized for this grant type