(This still needs refinement and will likely need to be broken down.)
- a list of tokens can be set as environment variables in the API
- Authorization header must be in the format ApiKey valid-key-here otherwise should return 400 BAD REQUEST with a helpful error
- /api/charts endpoints do not require Authorization headers
- /api/environments endpoints require an Authorization header with a valid token, otherwise return 401 UNAUTHORIZED with an error body
- /api/environments should only show environments associated with the provided token
- GET or DELETE /api/environments/:id for an environment that exists but does not belong to that API token receives a 403 FORBIDDEN with an appropriate error