We would want some form of authentication for the clients who can submit pipelines and schedule grading runs. Clients would be the courses using this service or if we expose this to students to schedule their own AG runs, we will have to authenticate them.

This should happen in a separate application, not in Broadway itself. The separate application can do the client authentication and then act as a trusted intermediary between them and Broadway.

However, if anyone who is not authenticated can schedule AG runs by just hitting the client endpoints. They just have to know where the API is running

All client endpoints require authentication now. Fixed in #15