Headers
All protected routes require `X-API-Token` with a server-issued static token.
Token rotation
- Set `NEXT_API_TOKEN` in the environment.
- Deploy (both ACTIVE and NEXT tokens are accepted).
- Update clients to use the new token.
- Move NEXT → API token, clear `NEXT_API_TOKEN`, redeploy.
- Rollback: reapply previous ENV values and redeploy.
Compromise handling
Immediately set `NEXT_API_TOKEN`, redeploy, then promote and remove the compromised value.