Fix several issues in docs

RakhithaRR · RakhithaRR · commit 58ded661ddaa · 2026-01-19T08:27:59.000+05:30
diff --git a/docs/ai-gateway/mcp/policies/mcp-authorization.md b/docs/ai-gateway/mcp/policies/mcp-authorization.md
@@ -237,18 +237,18 @@ spec:
 - Result: ❌ Access Denied (insufficient scopes)
 
 **Scenario 3**: User with claim `department="engineering"` attempts to read resource `file:///private/code`
-- Rule: `attribute.type="resource", attribute.name="file:///private/*", requiredClaims={department="engineering"}`
+- Rule: `attribute.type="resource", attribute.name="file:///private/code", requiredClaims={department="engineering"}`
 - Result: ✅ Access Granted
 
 **Scenario 4**: User with claim `department="finance"` (no engineering) attempts to read resource `file:///private/code`
-- Rule: `attribute.type="resource", attribute.name="file:///private/*", requiredClaims={department="engineering"}`
+- Rule: `attribute.type="resource", attribute.name="file:///private/code", requiredClaims={department="engineering"}`
 - Result: ❌ Access Denied (claim mismatch)
 
 ## Error Handling
 
 When authorization fails, the policy returns:
 - **HTTP Status**: `403 Forbidden`
-- **Response Body**: JSON error response with details about missing scopes and claims
+- **Response Body**: JSON error response with a reason message
 - **WWW-Authenticate Header**: Contains information about required scopes for the denied resource
 
 ## Related Policies
diff --git a/docs/gateway/mcp/policies/mcp-authorization.md b/docs/gateway/mcp/policies/mcp-authorization.md
@@ -237,18 +237,18 @@ spec:
 - Result: ❌ Access Denied (insufficient scopes)
 
 **Scenario 3**: User with claim `department="engineering"` attempts to read resource `file:///private/code`
-- Rule: `attribute.type="resource", attribute.name="file:///private/*", requiredClaims={department="engineering"}`
+- Rule: `attribute.type="resource", attribute.name="file:///private/code", requiredClaims={department="engineering"}`
 - Result: ✅ Access Granted
 
 **Scenario 4**: User with claim `department="finance"` (no engineering) attempts to read resource `file:///private/code`
-- Rule: `attribute.type="resource", attribute.name="file:///private/*", requiredClaims={department="engineering"}`
+- Rule: `attribute.type="resource", attribute.name="file:///private/code", requiredClaims={department="engineering"}`
 - Result: ❌ Access Denied (claim mismatch)
 
 ## Error Handling
 
 When authorization fails, the policy returns:
 - **HTTP Status**: `403 Forbidden`
-- **Response Body**: JSON error response with details about missing scopes and claims
+- **Response Body**: JSON error response with a reason message
 - **WWW-Authenticate Header**: Contains information about required scopes for the denied resource
 
 ## Related Policies
diff --git a/gateway/gateway-controller/default-policies/mcp-authz-v0.1.0.yaml b/gateway/gateway-controller/default-policies/mcp-authz-v0.1.0.yaml
@@ -12,7 +12,8 @@ description: |
   All matching rules must be satisfied for access to be granted (AND logic). If multiple 
   rules match the requested MCP attribute, ALL of their conditions must be met for 
   authorization to succeed. This allows combining specific and wildcard rules to build 
-  layered authorization policies.
+  layered authorization policies. If no rules are configured or no rule matches the 
+  requested attribute, access is allowed.
 
 parameters:
   type: object
@@ -82,7 +83,7 @@ parameters:
               Map of JWT claim names to expected values. All specified claims must be present 
               in the token and match their expected values for the rule to grant access.
               
-              Claim paths use dot notation (e.g., "sub", "custom.role", "org.team").
+              Claim names must be top-level keys in the JWT (e.g., "sub", "role").
               Matching is performed as exact string equality.
               
               If both requiredClaims and requiredScopes are specified, BOTH must be satisfied 
diff --git a/gateway/policies/mcp-authz/v0.1.0/policy-definition.yaml b/gateway/policies/mcp-authz/v0.1.0/policy-definition.yaml
@@ -12,7 +12,8 @@ description: |
   All matching rules must be satisfied for access to be granted (AND logic). If multiple 
   rules match the requested MCP attribute, ALL of their conditions must be met for 
   authorization to succeed. This allows combining specific and wildcard rules to build 
-  layered authorization policies.
+  layered authorization policies. If no rules are configured or no rule matches the 
+  requested attribute, access is allowed.
 
 parameters:
   type: object
@@ -82,7 +83,7 @@ parameters:
               Map of JWT claim names to expected values. All specified claims must be present 
               in the token and match their expected values for the rule to grant access.
               
-              Claim paths use dot notation (e.g., "sub", "custom.role", "org.team").
+              Claim names must be top-level keys in the JWT (e.g., "sub", "role").
               Matching is performed as exact string equality.
               
               If both requiredClaims and requiredScopes are specified, BOTH must be satisfied 
