restrict API calls to valid clients

Should make sure that only the web app url (configurable via a new env var) or an LED matrix can make API calls. Not sure how to do that yet with the LED matrix clients. Maybe some shared secret or something? Will need to look into that.