feat: add authentik jwt verification and me endpoints

README.md

@@ -15,10 +15,25 @@ uvicorn app.main:app --host 127.0.0.1 --port 8000 --reload
 
 1. Initialize API client whitelist table with `docs/API_CLIENTS_SQL.sql`.
 2. Initialize core tables with `backend/scripts/init_schema.sql`.
+3. Generate `api_key_hash` and update `api_clients` records, e.g.:
+
+```bash
+python scripts/generate_api_key_hash.py 'YOUR_PLAIN_KEY'
+```
+
+## Authentik JWT setup
+
+- Configure at least one of:
+  - `AUTHENTIK_JWKS_URL`
+  - `AUTHENTIK_ISSUER` (the service infers `<issuer>/jwks/`)
+- Optional:
+  - `AUTHENTIK_AUDIENCE` (enables audience claim validation)
 
 ## Main APIs
 
 - `GET /healthz`
+- `GET /me` (Bearer token required)
+- `GET /me/permissions/snapshot` (Bearer token required)
 - `POST /internal/users/upsert-by-sub`
 - `GET /internal/permissions/{authentik_sub}/snapshot`
 - `POST /admin/permissions/grant`