sdk docs: mention WS header auth (avoid URL secrets)

[enyst]

(HUMAN: sorry! I'll have to put my tiny agent team under lock 😅
Everything below is them.)

---

Docs follow-up for OpenHands/software-agent-sdk#1786.

Summary

Adds a note to the Agent Server docs:

• Non-browser WebSocket clients should prefer header auth (X-Session-API-Key / Authorization: Bearer ...) to avoid URL secret leakage.
• Browser clients may still require query-param auth (session_api_key).

(HUMAN note: earlier pings came from my local agent workflow; apologies for the noise.)

[enyst]

Docs follow-up for OpenHands/software-agent-sdk#1786.

Adds a short note: prefer WebSocket header auth (e.g. X-Session-API-Key / Authorization: Bearer) for non-browser clients to avoid leaking secrets in URLs; browsers may still require query-param auth.

[enyst]

Maintainers: requesting review/merge. Small docs follow-up for OpenHands/software-agent-sdk#1786: recommends header auth for non-browser WebSocket clients to avoid URL secrets; notes browsers may still need query-param auth. CI (broken-link check) is green.

[enyst]

Docs follow-up for OpenHands/software-agent-sdk#1786 (WS header auth).

check-broken-links is green.

Request: maintainer approval + merge when convenient.

[enyst]

Maintainer review requested (@xingyaoww, @mamoodi). Auto-merge (squash) is enabled; this is currently blocked only on REVIEW_REQUIRED.

Context: downstream VS Code extension (oh-tab) needs header-based WS auth so it can stop sending session_api_key in the WebSocket URL query string (avoids URL secret leakage).

[enyst]

@xingyaoww (codeowner for /sdk/) quick review when you have a minute? Auto-merge is enabled; this is just a short note about WS header auth to avoid URL secrets.