Document MCP API token authentication

[samgutentag]

Documents API token authentication as an alternative to OAuth for the Trunk MCP server (shipped in v148, trunk-io/trunk2#3381).

Changes

• Updated MCP server overview with both auth methods explained
• Added API token config examples to all four client pages (Claude Code, Cursor, Gemini CLI, GitHub Copilot)

What's documented

• OAuth remains default; API token for CI/headless environments or clients without OAuth support
• Bearer token header configuration per client
• Where to find the API token in the Trunk app

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

[trunk-staging-io]

Merging to main in this repository is managed by Trunk.

• To merge this pull request, check the box to the left or comment /trunk merge below.

After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here

[claude]

Claude finished @samgutentag's task in 2m 3s —— View job

---

PR Review

• Gather context and read changed files
• Review for typos, grammar, and formatting issues
• Review for documentation best practices
• Post final review

---

Summary

This PR is well-structured and accurately documents the API token authentication option across the overview page and all four client-specific pages. No blocking issues found.

What's good

• Section headers are consistently renamed from ### Authentication → ### Authentication with OAuth (default) across all four client pages — clear and parallel structure.
• VS Code's ${env:TRUNK_API_TOKEN} syntax is correctly distinguished from the ${TRUNK_API_TOKEN} used by other clients, with a helpful {% hint %} note explaining the difference.
• Gemini CLI's "httpUrl" key is correctly used in its client-specific page (different from "url" used by others).
• The PR also fixes a pre-existing copy/paste error in github-copilot-ide.md where the auth section incorrectly referred to "Cursor" instead of "GitHub Copilot".

Minor suggestions (non-blocking)

README.md generic JSON example — See inline comment. The overview's API token example uses "url", which works for most clients but not Gemini CLI (which needs "httpUrl"). A small note pointing readers to client-specific pages for the exact key would prevent confusion.

Pre-existing typos (not introduced by this PR, worth a follow-up):

• cursor-ide.md:47: "follow insturctions" → "follow instructions"
• github-copilot-ide.md:62: "follow insturctions" → "follow instructions"

Org-level caveat visibility — The README mentions "API token auth is org-level — all requests are attributed to the organization rather than to a specific user", but this isn't repeated on the per-client pages. Users who navigate directly to a client page won't see this important note. Consider adding a short callout or linking back to the overview.

---

Overall: no blocking issues. The documentation is accurate, consistent, and follows the existing patterns in the repo.

[claude]

Minor: this generic example uses "url" which is correct for Claude Code, Cursor, and GitHub Copilot — but Gemini CLI requires "httpUrl" instead. Consider adding a note that the exact config key varies by client, with a pointer to the client-specific pages.

[github-actions]

Auto-approved: Claude code review passed.