stacklok
diff --git a/‎docs/toolhive/reference/cli/thv_proxy.md‎
Lines changed: 30 additions & 22 deletions b/‎docs/toolhive/reference/cli/thv_proxy.md‎
Lines changed: 30 additions & 22 deletions
@@ -97,28 +97,36 @@ thv proxy [flags] SERVER_NAME
 ### Options
 
 ```
-  -h, --help                                    help for proxy
-      --host string                             Host for the HTTP proxy to listen on (IP or hostname) (default "127.0.0.1")
-      --oidc-audience string                    Expected audience for the token
-      --oidc-client-id string                   OIDC client ID
-      --oidc-client-secret string               OIDC client secret (optional, for introspection)
-      --oidc-introspection-url string           URL for token introspection endpoint
-      --oidc-issuer string                      OIDC issuer URL (e.g., https://accounts.google.com)
-      --oidc-jwks-url string                    URL to fetch the JWKS from
-      --port int                                Port for the HTTP proxy to listen on (host port)
-      --remote-auth                             Enable OAuth/OIDC authentication to remote MCP server
-      --remote-auth-authorize-url string        OAuth authorization endpoint URL (alternative to --remote-auth-issuer for non-OIDC OAuth)
-      --remote-auth-callback-port int           Port for OAuth callback server during remote authentication (default 8666)
-      --remote-auth-client-id string            OAuth client ID for remote server authentication
-      --remote-auth-client-secret string        OAuth client secret for remote server authentication (optional for PKCE)
-      --remote-auth-client-secret-file string   Path to file containing OAuth client secret (alternative to --remote-auth-client-secret)
-      --remote-auth-issuer string               OAuth/OIDC issuer URL for remote server authentication (e.g., https://accounts.google.com)
-      --remote-auth-scopes strings              OAuth scopes to request for remote server authentication (defaults: OIDC uses 'openid,profile,email')
-      --remote-auth-skip-browser                Skip opening browser for remote server OAuth flow
-      --remote-auth-timeout duration            Timeout for OAuth authentication flow (e.g., 30s, 1m, 2m30s) (default 30s)
-      --remote-auth-token-url string            OAuth token endpoint URL (alternative to --remote-auth-issuer for non-OIDC OAuth)
-      --resource-url string                     Explicit resource URL for OAuth discovery endpoint (RFC 9728)
-      --target-uri string                       URI for the target MCP server (e.g., http://localhost:8080) (required)
+  -h, --help                                       help for proxy
+      --host string                                Host for the HTTP proxy to listen on (IP or hostname) (default "127.0.0.1")
+      --oidc-audience string                       Expected audience for the token
+      --oidc-client-id string                      OIDC client ID
+      --oidc-client-secret string                  OIDC client secret (optional, for introspection)
+      --oidc-introspection-url string              URL for token introspection endpoint
+      --oidc-issuer string                         OIDC issuer URL (e.g., https://accounts.google.com)
+      --oidc-jwks-url string                       URL to fetch the JWKS from
+      --port int                                   Port for the HTTP proxy to listen on (host port)
+      --remote-auth                                Enable OAuth/OIDC authentication to remote MCP server
+      --remote-auth-authorize-url string           OAuth authorization endpoint URL (alternative to --remote-auth-issuer for non-OIDC OAuth)
+      --remote-auth-callback-port int              Port for OAuth callback server during remote authentication (default 8666)
+      --remote-auth-client-id string               OAuth client ID for remote server authentication
+      --remote-auth-client-secret string           OAuth client secret for remote server authentication (optional for PKCE)
+      --remote-auth-client-secret-file string      Path to file containing OAuth client secret (alternative to --remote-auth-client-secret)
+      --remote-auth-issuer string                  OAuth/OIDC issuer URL for remote server authentication (e.g., https://accounts.google.com)
+      --remote-auth-scopes strings                 OAuth scopes to request for remote server authentication (defaults: OIDC uses 'openid,profile,email')
+      --remote-auth-skip-browser                   Skip opening browser for remote server OAuth flow
+      --remote-auth-timeout duration               Timeout for OAuth authentication flow (e.g., 30s, 1m, 2m30s) (default 30s)
+      --remote-auth-token-url string               OAuth token endpoint URL (alternative to --remote-auth-issuer for non-OIDC OAuth)
+      --resource-url string                        Explicit resource URL for OAuth discovery endpoint (RFC 9728)
+      --target-uri string                          URI for the target MCP server (e.g., http://localhost:8080) (required)
+      --token-exchange-audience string             Target audience for exchanged tokens
+      --token-exchange-client-id string            OAuth client ID for token exchange operations
+      --token-exchange-client-secret string        OAuth client secret for token exchange operations
+      --token-exchange-client-secret-file string   Path to file containing OAuth client secret for token exchange (alternative to --token-exchange-client-secret)
+      --token-exchange-header-name string          Custom header name for injecting exchanged token (default: replaces Authorization header)
+      --token-exchange-scopes strings              Scopes to request for exchanged tokens
+      --token-exchange-subject-token-type string   Type of subject token to exchange. Accepts: access_token (default), id_token (required for Google STS)
+      --token-exchange-url string                  OAuth 2.0 token exchange endpoint URL (enables token exchange when provided)
 ```
 
 ### Options inherited from parent commands