Add JWT integration section and fix config links

Author: kamilkisiela

packages/web/docs/src/content/router/configuration/authorization.mdx

@@ -8,6 +8,9 @@ The `authorization` configuration lets you control fine-grained access to your G
 directives. This allows you to restrict which fields authenticated users can access based on their
 authentication status or specific scopes.
 
+For practical examples and a guide to authorization concepts, see
+**["Authorization"](../security/authorization)** in the documentation.
+
 ## How Authorization Works
 
 The router supports two modes for handling unauthorized field access:

packages/web/docs/src/content/router/configuration/index.mdx

@@ -13,19 +13,19 @@ Some configuration variables can be overridden at runtime using
 This page covers all the main configuration options available. Each option links to a detailed page
 that explains how to use that feature.
 
-- [`authorization`](./authorization): Define field-level access control using directives.
-- [`cors`](./cors): Control cross-origin requests to your API.
-- [`csrf`](./csrf): Protect against cross-site request forgery attacks.
-- [`headers`](./headers): Modify HTTP headers between clients and subgraphs.
-- [`http`](./http): Set the host and port for your router.
-- [`jwt`](./jwt): Add JWT-based authentication to secure your endpoint.
-- [`log`](./log): Control what the router logs and how it formats log messages.
-- [`override_subgraph_urls`](./override_subgraph_urls): Route requests to different
+- [`authorization`](./configuration/authorization): Define field-level access control using directives.
+- [`cors`](./configuration/cors): Control cross-origin requests to your API.
+- [`csrf`](./configuration/csrf): Protect against cross-site request forgery attacks.
+- [`headers`](./configuration/headers): Modify HTTP headers between clients and subgraphs.
+- [`http`](./configuration/http): Set the host and port for your router.
+- [`jwt`](./configuration/jwt): Add JWT-based authentication to secure your endpoint.
+- [`log`](./configuration/log): Control what the router logs and how it formats log messages.
+- [`override_subgraph_urls`](./configuration/override_subgraph_urls): Route requests to different
   subgraph URLs dynamically.
-- [`override_labels`](./override_labels): Dynamically activate or deactivate
+- [`override_labels`](./configuration/override_labels): Dynamically activate or deactivate
   progressive override labels.
-- [`query_planner`](./query_planner): Add safety limits and debugging for query
+- [`query_planner`](./configuration/query_planner): Add safety limits and debugging for query
   planning.
-- [`supergraph`](./supergraph): Tell the router where to find your supergraph schema.
-- [`traffic_shaping`](./traffic_shaping): Manage connection pooling and request
+- [`supergraph`](./configuration/supergraph): Tell the router where to find your supergraph schema.
+- [`traffic_shaping`](./configuration/traffic_shaping): Manage connection pooling and request
   handling to subgraphs.

packages/web/docs/src/content/router/security/authorization.mdx

@@ -20,6 +20,34 @@ When a GraphQL request comes to the router, it goes through these steps:
 
 The key insight is that authorization happens **before** your subgraphs are even called. This protects sensitive fields at the router level.
 
+## Integration with JWT Authentication
+
+Authorization directives work alongside your [JWT authentication setup](./jwt-authentication.mdx). Here's the flow:
+
+1. **Client sends request** with JWT token in the `Authorization` header
+2. **Router validates JWT** using your configured JWKS provider
+3. **Router extracts scopes** from the JWT claims (`scope` field)
+4. **Router checks authorization directives** against the extracted scopes
+5. **Query proceeds or fails** based on authorization result
+
+**Configuration example:**
+
+```yaml filename="router.config.yaml"
+jwt:
+  require_authentication: false  # Allow anonymous requests
+  jwks_providers:
+    - source: remote
+      url: https://your-auth-provider.com/.well-known/jwks.json
+
+authorization:
+  directives:
+    enabled: true
+    unauthorized:
+      mode: filter  # Or 'reject' for stricter enforcement
+```
+
+With this setup, your GraphQL API allows both anonymous and authenticated requests, but authorization directives control which fields each user can access.
+
 ## The Two Authorization Directives
 
 ### `@authenticated`
@@ -257,34 +285,6 @@ query {
 }
 ```
 
-## Integration with JWT Authentication
-
-Authorization directives work alongside your [JWT authentication setup](./jwt-authentication.mdx). Here's the flow:
-
-1. **Client sends request** with JWT token in the `Authorization` header
-2. **Router validates JWT** using your configured JWKS provider
-3. **Router extracts scopes** from the JWT claims (`scope` field)
-4. **Router checks authorization directives** against the extracted scopes
-5. **Query proceeds or fails** based on authorization result
-
-**Configuration example:**
-
-```yaml filename="router.config.yaml"
-jwt:
-  require_authentication: false  # Allow anonymous requests
-  jwks_providers:
-    - source: remote
-      url: https://your-auth-provider.com/.well-known/jwks.json
-
-authorization:
-  directives:
-    enabled: true
-    unauthorized:
-      mode: filter  # Or 'reject' for stricter enforcement
-```
-
-With this setup, your GraphQL API allows both anonymous and authenticated requests, but authorization directives control which fields each user can access.
-
 
 ## Specification