Generate a read-only API key

Use this key in your frontend as Authorization: Bearer <key>. Write keys require an admin.