Define auth/login methods and key management operations in API

The API should define restricted methods to:
- Add/delete users (or disable their accounts)
- Grant/revoke roles to users
- Add/delete API keys (linked to one user)