Hey anyone have recommendations on how to handle auth for api-routes endpoints that are going to be hit via the website and externally? My naive approach would be to modify wrap-signed-in middleware to check for user session OR api key in the headers of the ctx map.