docs: API authentication & API key guide

[joelpeace48-cell]

Background & current state

Auth spans API keys (apiKeyAuth.js) and (incoming) SEP-10 (NEW-011), org-scoped keys + scopes (NEW-083), and rate limits — but there's no single doc explaining how to authenticate and manage keys.

Goal

Author docs/API_AUTH.md covering every auth path: API key creation/rotation/revocation, scopes, SEP-10 wallet login, and rate-limit behavior.

Outline

• API keys: create/rotate/revoke (Backend: Add API key management endpoints (create, rotate, revoke) #338), scopes (NEW-083), header usage.
• SEP-10 login (NEW-011): challenge/verify/token, refresh.
• Rate limits + 429 semantics; idempotency keys (NEW-031).
• Security best practices (key storage, rotation NEW-060).

Task breakdown

• Write docs/API_AUTH.md covering all paths.
• Cross-check against routes/middleware.
• Cross-link from README + OpenAPI.

Acceptance criteria

• Every auth path is documented and matches the implementation.

Verification

• Cross-reference vs apiKeyAuth.js/SEP-10; review; link check.

Difficulty: easy–medium · Effort: S–M · documentation + security