Health checks, backends, API keys & Supabase keep-alive
Token is stored in this browser only (localStorage). Backend must have INTERNAL_SECRET set.
INTERNAL_SECRET
Same-origin check: these paths are requested from the current site.