Changelog

[1.0.0] – API key access

API key authentication: Protected routes now accept, in addition to web session (JWT cookie), an API key token sent in Authorization: Bearer <keyId:secret> or X-API-Key.
Key management: Users with the business proprietor or administrator role on the company can create, list and revoke API keys from Settings > Integrations. The Secret is shown only once when creating the key.
Documentation: Documentation site at docs.abaco.hn with introduction, getting started, endpoint and key extraction, authentication and API reference.

Routes using authMiddleware automatically accept web session and API key; no separate routes are required for integrations.
Token format: keyId:secret (e.g. abk_xxxx:secret_value).