API key documentation

env file comment says `(leave empty to disable, or set to secure value)` but leaving it empty still requires API key. I think that is reasonable.
My suggestion:
- Update documentation about API key
- Add a simple script that generates a secure random API key