Docs for almost every API path \

Authentication is done with the `X-Token` header (doesn't apply to websocket see `PROTOCOL.md` for that) \
All responses are in JSON, request body if required must also be JSON \
TODO document errors

## Paths

### `/api/tokens/create`
Required role: `admin`

Method: `PUT` 

Request body:
- `accessLimits`: the label of access limits

Response body:
- `token`: the generated token (base64 encoded)


### `/api/tokens/me`
Required role: `user`

Method: `GET`

Response body:
- `token`: the token itself but only first and last 5 characters visible separated by ...
- `role`: the role like user or admin
- `accessLimits`: the label of access limits