(This still needs refinement and will likely need to be broken down.)

• a list of tokens can be set as environment variables in the API
• Authorization header must be in the format ApiKey valid-key-here otherwise should return 400 BAD REQUEST with a helpful error
• /api/charts endpoints do not require Authorization headers
• /api/environments endpoints require an Authorization header with a valid token, otherwise return 401 UNAUTHORIZED with an error body
• /api/environments should only show environments associated with the provided token
• GET or DELETE /api/environments/:id for an environment that exists but does not belong to that API token receives a 403 FORBIDDEN with an appropriate error