docs(plugin-mcp): clarify Bearer-only auth on /api/mcp endpoint

[algojogacor]

What?

Adds a <Banner type="info"> to the MCP plugin documentation clarifying that the /api/mcp endpoint only supports Authorization: Bearer <key> authentication. Unlike other Payload API-key-based endpoints that accept the <collection-slug> API-Key <key> convention, the MCP endpoint will reject any other auth scheme.

Why?

Fixes #16572

Users familiar with Payload's standard API-Key auth convention (used by every other API-key-backed surface) naturally try payload-mcp-api-keys API-Key <token> against /api/mcp. This is silently rejected. The existing docs mention Bearer but don't call out that it's the only supported format.

How?

Added a <Banner type="info"> block after the "All MCP requests must include a valid API key as a Bearer token" sentence in docs/plugins/mcp.mdx, explicitly stating:

• The MCP endpoint only supports Authorization: Bearer <key>
• The payload-mcp-api-keys API-Key <key> convention used elsewhere in Payload does not work here

Changes

• docs/plugins/mcp.mdx: Added Banner note about Bearer-only auth (+11 -1 lines)

Testing

• Existing Bearer examples: All curl/config examples in the docs remain unchanged and correct ✅
• New Banner renders correctly: The <Banner type="info"> shortcode is already used elsewhere in the same file (lines 13, 126, 187) ✅
• Clarity improvement: A reader who jumps to the "How Access Control Works" section looking for auth format will now see the explicit clarification ✅