docs: replace Authentik with Logto, document OIDC resource server

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docs/SERVER-CAPABILITIES.md

@@ -230,6 +230,7 @@ Config fields: `metricsEnabled`, `samplingRate`, `tracedProcessors`, `logLevels`
 | Bootstrap token | `POST /agents/register` | One-time agent registration |
 | Local credentials | `POST /auth/login` | UI login (username/password) |
 | OIDC code exchange | `POST /auth/oidc/callback` | External identity provider |
+| OIDC access token | Bearer token in Authorization header | SaaS M2M / external OIDC |
 | Token refresh | `POST /auth/refresh` | UI token refresh |
 | Token refresh | `POST /agents/{id}/refresh` | Agent token refresh |
 
@@ -257,6 +258,15 @@ Server derives an Ed25519 keypair deterministically from the JWT secret. Public
 
 Configured via admin API (`/api/v1/admin/oidc`). Supports any OpenID Connect provider. Features: role claim extraction (supports nested paths like `realm_access.roles`), auto-signup, configurable display name claim, constant-time token rotation via dual bootstrap tokens.
 
+### OIDC Resource Server
+
+When `CAMELEER_OIDC_ISSUER_URI` is configured, the server accepts external access tokens (e.g., Logto M2M tokens) in addition to internal HMAC JWTs. Dual-path validation: tries internal HMAC first, falls back to OIDC JWKS validation. OAuth2 scope-based role mapping: `admin` scope maps to ADMIN, `operator` to OPERATOR, `viewer` to VIEWER. Supports ES384, ES256, and RS256 algorithms. Handles RFC 9068 `at+jwt` token type.
+
+| Variable | Purpose |
+|----------|---------|
+| `CAMELEER_OIDC_ISSUER_URI` | OIDC issuer URI for JWKS discovery |
+| `CAMELEER_OIDC_AUDIENCE` | Expected audience (API resource indicator) |
+
 ---
 
 ## Admin API