Support programmatic Clerk API key authentication

[jamiefolsom]

Context

The Clerk SSO migration gates legacy username/password login behind FairCopy-specific headers (see #TBD). Once that gate is enforced, there is no supported way for scripts, integrations, or other programmatic clients to authenticate against the FairData API — Clerk's OAuth/SSO flow requires browser-based interactive login.

Request

Provide a machine-friendly authentication mechanism for programmatic API access. Possible approaches:

• API keys — per-user or per-project, issued through the FairData admin UI
• Clerk API tokens — if Clerk supports long-lived tokens or service accounts
• OAuth client credentials flow — standard app-to-app auth with no user interaction

Use Cases

• Scripts that read/write project data via the Core Data API
• CI/CD pipelines (e.g., automated data import/export)
• Third-party integrations beyond FairCopy Cloud

[camdendotlol]

Claude went down the wrong rabbit hole here.

Clerk offers an API key feature that covers this use case. Using it would require FairCopy.cloud (both 1 and 2 because FCC 1 is still in use) to be updated to use that method of authentication instead of the old username/password route. That would be a bit time-consuming, especially for FCC 1 where setting up and testing a dev environment is difficult. So we went with the quick solution of keeping the local mode auth working for FCC.

In the long run, once FCC 1 is shut down, we will set up Clerk API key authentication and update FCC 2 to use it.