Make authenticated endpoints the default

[neutralino1]

Right now developers need to decorate API endpoints with @authenticate to make sure an endpoint cannot be accessed without a valid API key in the headers.

This is ok, but it would be safer to require authentication by default, and have an API to mark certain endpoints as not requiring authentication.