docs(token_auth.md): add project based auth to docs

docs/my-website/docs/proxy/token_auth.md

@@ -1,6 +1,9 @@
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
 # [BETA] JWT-based Auth 
 
-Use JWT's to auth admin's into the proxy.
+Use JWT's to auth admins / projects into the proxy.
 
 :::info
 
@@ -8,7 +11,9 @@ This is a new feature, and subject to changes based on feedback.
 
 :::
 
-## Step 1. Set env's 
+## Usage
+
+### Step 1. Setup Proxy
 
 - `JWT_PUBLIC_KEY_URL`: This is the public keys endpoint of your OpenID provider. Typically it's `{openid-provider-base-url}/.well-known/openid-configuration/jwks`. For Keycloak it's `{keycloak_base_url}/realms/{your-realm}/protocol/openid-connect/certs`.
 
@@ -16,7 +21,26 @@ This is a new feature, and subject to changes based on feedback.
 export JWT_PUBLIC_KEY_URL="" # "https://demo.duendesoftware.com/.well-known/openid-configuration/jwks"
 ```
 
-## Step 2. Create JWT with scopes 
+- `enable_jwt_auth` in your config. This will tell the proxy to check if a token is a jwt token.
+
+```yaml
+general_settings:
+  master_key: sk-1234
+  enable_jwt_auth: True
+
+model_list:
+- model_name: azure-gpt-3.5 
+  litellm_params:
+      model: azure/<your-deployment-name>
+      api_base: os.environ/AZURE_API_BASE
+      api_key: os.environ/AZURE_API_KEY
+      api_version: "2023-07-01-preview"
+```
+
+### Step 2. Create JWT with scopes 
+
+<Tabs>
+<TabItem value="admin" label="admin">
 
 Create a client scope called `litellm_proxy_admin` in your OpenID provider (e.g. Keycloak).
 
@@ -32,12 +56,55 @@ curl --location ' 'https://demo.duendesoftware.com/connect/token'' \
 --data-urlencode 'grant_type=password' \
 --data-urlencode 'scope=litellm_proxy_admin' # 👈 grant this scope
 ```
+</TabItem>
+<TabItem value="project" label="project">
 
-## Step 3. Create a proxy key with JWT 
+Create a JWT for your project on your OpenID provider (e.g. Keycloak).
+
+```bash
+curl --location ' 'https://demo.duendesoftware.com/connect/token'' \
+--header 'Content-Type: application/x-www-form-urlencoded' \
+--data-urlencode 'client_id={CLIENT_ID}' \ # 👈 project id
+--data-urlencode 'client_secret={CLIENT_SECRET}' \
+--data-urlencode 'grant_type=client_credential' \
+```
+
+</TabItem>
+</Tabs>
+
+### Step 3. Test your JWT 
+
+<Tabs>
+<TabItem value="key" label="/key/generate">
 
 ```bash
 curl --location '{proxy_base_url}/key/generate' \
 --header 'Authorization: Bearer eyJhbGciOiJSUzI1NiI...' \
 --header 'Content-Type: application/json' \
 --data '{}'
+```
+</TabItem>
+<TabItem value="llm_call" label="/chat/completions">
+
+```bash
+curl --location 'http://0.0.0.0:4000/v1/chat/completions' \
+--header 'Content-Type: application/json' \
+--header 'Authorization: Bearer eyJhbGciOiJSUzI1...' \
+--data '{"model": "azure-gpt-3.5", "messages": [ { "role": "user", "content": "What's the weather like in Boston today?" } ]}'
+```
+
+</TabItem>
+</Tabs>
+
+## Advanced - Allowed Routes 
+
+Configure which routes a non-admin JWT can access via the config.
+
+By default, a non-admin JWT can call openai + any `/info` endpoints. 
+
+```yaml
+general_settings:
+  master_key: sk-1234
+  enable_jwt_auth: True
+  allowed_routes: ["/chat/completions", "/embeddings"]
 ```