Restrict access based on API key

It should be possible to define what users can and cannot do with their API key. Consider implementing the following:
- Read only API key (pretty much only good for the `/stats` and `metrics` (future) endpoints)
- Some keys can only interact with a subset of `id`s (this might look like namespaces)