## 1. Client Authentication

- [x] 1.1 Rename `Token` and `HttpOnlyToken` fields to single `APIKey` field in `Client` struct in `client/client.go`
- [x] 1.2 Update `NewClient` constructor to accept `(baseURL, apiKey string, logger *slog.Logger)` — remove `httpOnlyToken` parameter
- [x] 1.3 Replace `Authorization: Bearer` header with `x-api-key` header in `Do()` method
- [x] 1.4 Remove OIDC cookie logic (`httpOnlyToken` cookie attachment) from `Do()` method

## 2. CLI Flags and Environment Variables

- [x] 2.1 Rename `flagToken` to `flagAPIKey` and `flagHttpToken` removal in `cmd/root.go`
- [x] 2.2 Replace `--token` flag with `--api-key` flag and remove `--http-token` flag in `cmd/root.go`
- [x] 2.3 Replace `PLANKA_TOKEN` env var lookup with `PLANKA_API_KEY` in `PersistentPreRunE`
- [x] 2.4 Remove `PLANKA_HTTP_TOKEN` env var lookup from `PersistentPreRunE`
- [x] 2.5 Update error message to reference `PLANKA_API_KEY` and `--api-key`
- [x] 2.6 Update `NewClient` call site in `PersistentPreRunE` to match new constructor signature
- [x] 2.7 Remove OIDC-related debug log line (`oidc_mode` slog field)

## 3. Documentation

- [x] 3.1 Update `README.md` authentication section to reference `PLANKA_API_KEY` and `--api-key`