[api] proper api tokens

[hairmare]

We should not pass the API token on the command line (and we should also not hardcode any defaults).

            default={"rabe": "rabe"},

I'm not sure yet about the best solution for authenticating internal API calls, most secure approaches are a bit over engineered (like involving keycloak to generate jwt tokens, ...)

Originally posted by @hairmare in #140 (comment)