tweak HTTP auth for first API public release

This is the last step needed to deploy #614 (closed).

Two different kinds of tweaks will be necessary:

1. for the //available endpoints//: drop HTTP auth completely
2. for the //upcoming endpoints//: replace HTTP auth in favor of returning HTTP status code "501 Not Implemented"

Point (2) above is not only appropriate in general for our use case. But it is also very convenient, as some of the opened endpoints //already// return URLs pointing to upcoming endpoints. Returning 501 allows us to leave the URLs around, and at the same time inform users that they will be opened up in the future.

---

Migrated from T655 (view on Phabricator)