diff --git a/docs/toolhive/reference/cli/thv_proxy.md b/docs/toolhive/reference/cli/thv_proxy.md
index 371f999..270791b 100644
--- a/docs/toolhive/reference/cli/thv_proxy.md
+++ b/docs/toolhive/reference/cli/thv_proxy.md
@@ -113,6 +113,7 @@ thv proxy [flags] SERVER_NAME
       --remote-auth-client-secret string           OAuth client secret for remote server authentication (optional for PKCE)
       --remote-auth-client-secret-file string      Path to file containing OAuth client secret (alternative to --remote-auth-client-secret)
       --remote-auth-issuer string                  OAuth/OIDC issuer URL for remote server authentication (e.g., https://accounts.google.com)
+      --remote-auth-resource string                OAuth 2.0 resource indicator (RFC 8707)
       --remote-auth-scopes strings                 OAuth scopes to request for remote server authentication (defaults: OIDC uses 'openid,profile,email')
       --remote-auth-skip-browser                   Skip opening browser for remote server OAuth flow
       --remote-auth-timeout duration               Timeout for OAuth authentication flow (e.g., 30s, 1m, 2m30s) (default 30s)
diff --git a/docs/toolhive/reference/cli/thv_run.md b/docs/toolhive/reference/cli/thv_run.md
index 84c1004..08f733a 100644
--- a/docs/toolhive/reference/cli/thv_run.md
+++ b/docs/toolhive/reference/cli/thv_run.md
@@ -126,7 +126,7 @@ thv run [flags] SERVER_OR_IMAGE_OR_PROTOCOL [-- ARGS...]
       --otel-tracing-enabled                       Enable distributed tracing (when OTLP endpoint is configured) (default true)
       --permission-profile string                  Permission profile to use (none, network, or path to JSON file)
       --print-resolved-overlays                    Debug: show resolved container paths for tmpfs overlays
-      --proxy-mode string                          Proxy mode for stdio transport (sse or streamable-http) (default "sse")
+      --proxy-mode string                          Proxy mode for stdio (streamable-http or sse) (default "streamable-http")
       --proxy-port int                             Port for the HTTP proxy to listen on (host port)
       --remote-auth                                Enable OAuth/OIDC authentication to remote MCP server
       --remote-auth-authorize-url string           OAuth authorization endpoint URL (alternative to --remote-auth-issuer for non-OIDC OAuth)
@@ -135,6 +135,7 @@ thv run [flags] SERVER_OR_IMAGE_OR_PROTOCOL [-- ARGS...]
       --remote-auth-client-secret string           OAuth client secret for remote server authentication (optional for PKCE)
       --remote-auth-client-secret-file string      Path to file containing OAuth client secret (alternative to --remote-auth-client-secret)
       --remote-auth-issuer string                  OAuth/OIDC issuer URL for remote server authentication (e.g., https://accounts.google.com)
+      --remote-auth-resource string                OAuth 2.0 resource indicator (RFC 8707)
       --remote-auth-scopes strings                 OAuth scopes to request for remote server authentication (defaults: OIDC uses 'openid,profile,email')
       --remote-auth-skip-browser                   Skip opening browser for remote server OAuth flow
       --remote-auth-timeout duration               Timeout for OAuth authentication flow (e.g., 30s, 1m, 2m30s) (default 30s)
diff --git a/static/api-specs/toolhive-api.yaml b/static/api-specs/toolhive-api.yaml
index 3e07926..dae2724 100644
--- a/static/api-specs/toolhive-api.yaml
+++ b/static/api-specs/toolhive-api.yaml
@@ -542,6 +542,9 @@ components:
             OAuthParams contains additional OAuth parameters to include in the authorization request
             These are server-specific parameters like "prompt", "response_mode", etc.
           type: object
+        resource:
+          description: Resource is the OAuth 2.0 resource indicator (RFC 8707)
+          type: string
         scopes:
           description: |-
             Scopes are the OAuth scopes to request
@@ -687,7 +690,7 @@ components:
         predicate_type:
           type: string
       type: object
-    runner.RemoteAuthConfig:
+    remote.Config:
       description: RemoteAuthConfig contains OAuth configuration for remote MCP servers
       properties:
         authorize_url:
@@ -720,6 +723,9 @@ components:
             type: string
           description: OAuth parameters for server-specific customization
           type: object
+        resource:
+          description: Resource is the OAuth 2.0 resource indicator (RFC 8707).
+          type: string
         scopes:
           items:
             type: string
@@ -827,7 +833,7 @@ components:
         proxy_mode:
           $ref: '#/components/schemas/types.ProxyMode'
         remote_auth_config:
-          $ref: '#/components/schemas/runner.RemoteAuthConfig'
+          $ref: '#/components/schemas/remote.Config'
         remote_url:
           description: RemoteURL is the URL of the remote MCP server (if running remotely)
           type: string
@@ -910,6 +916,7 @@ components:
       - WorkloadStatusUnhealthy
       - WorkloadStatusRemoving
       - WorkloadStatusUnknown
+      - WorkloadStatusUnauthenticated
     secrets.SecretParameter:
       properties:
         name:
@@ -1460,6 +1467,9 @@ components:
             type: string
           description: Additional OAuth parameters for server-specific customization
           type: object
+        resource:
+          description: OAuth 2.0 resource indicator (RFC 8707)
+          type: string
         scopes:
           description: OAuth scopes to request
           items:
@@ -1650,6 +1660,7 @@ components:
           - WorkloadStatusUnhealthy
           - WorkloadStatusRemoving
           - WorkloadStatusUnknown
+          - WorkloadStatusUnauthenticated
       type: object
 externalDocs:
   description: ""