Merchant API-key authentication and scoping

[Manuel1234477]

Context

Every endpoint is unauthenticated. Anyone can create payments and GET /payments returns all merchants' payments. merchant_id is just a free-text field on the request.

Tasks

• Add a merchants table with hashed API keys.
• Require Authorization: Bearer <key> on POST /payments and the list endpoint.
• Derive merchant_id from the key; scope GET /payments to the authenticated merchant.

Acceptance criteria

• Unauthenticated writes/list are rejected with 401.
• A merchant only sees its own payments.

[Nexha-dev]

Hi Maintainer I would like to work on this issue to implement merchant API-key authentication and scoping

[grantfox-oss]

🦊 GrantFox — @Nexha-dev has been assigned to this issue as part of the Official Campaign campaign!

Next steps:

1. Open a Pull Request referencing this issue (e.g., Closes #9)
2. Your PR will be reviewed by the StellarGateLabs maintainers

Good luck! Track your progress on GrantFox.

[grantfox-oss]

🎉 This issue has been marked as completed on GrantFox as part of the Official Campaign campaign!

@Nexha-dev's PR #60 was approved and merged by @Manuel1234477.

🏆 @Nexha-dev: You earned 35 FoxPoints for this contribution! Your current tier: Explorer (261 total points). Track your full progress on GrantFox.

👏 Great work, @Nexha-dev! Keep contributing to StellarGateLabs.