Mention OAuth scope challenges in server-configuration.md

Author: SamMorrowDrums

docs/server-configuration.md

@@ -333,11 +333,15 @@ Lockdown mode ensures the server only surfaces content in public repositories fr
 
 ### Scope Filtering
 
-**Automatic feature:** The server automatically detects your classic PAT's OAuth scopes and only shows tools you have permission to use.
+**Automatic feature:** The server handles OAuth scopes differently depending on authentication type:
 
-This happens transparently at startup for classic PATs (`ghp_` prefix)—no configuration needed. If scope detection fails (e.g., network issues), the server logs a warning and continues with all tools available.
+- **Classic PATs** (`ghp_` prefix): Tools are filtered at startup based on token scopes—you only see tools you have permission to use
+- **OAuth** (remote server): Uses scope challenges—when a tool needs a scope you haven't granted, you're prompted to authorize it
+- **Other tokens**: No filtering—all tools shown, API enforces permissions
 
-Each tool in the [README](../README.md#tools) lists its required and accepted OAuth scopes. See [Scope Filtering](./scope-filtering.md) for details on how filtering works with different token types.
+This happens transparently—no configuration needed. If scope detection fails for a classic PAT (e.g., network issues), the server logs a warning and continues with all tools available.
+
+See [Scope Filtering](./scope-filtering.md) for details on how filtering works with different token types.
 
 ---