No authentication in server HTTP API
The server needs some kind of access control on its HTTP API. At minimum, simple access tokens that allows only one client to use the API. Later on, a more nuanced, more fine grained access control mechanism that supports many, mutually distrustful clients/users will be added, but a simple mechanism would be enough to get us started.