The idea behind messybrainz submission at the moment is that it should only be used by MetaBrainz projects. Because they don't all live on the same server, we need a public submission endpoint, which should be password-protected.

We can reuse the same authentication concepts that we have in listenbrainz and acousticbrainz.
API key generation for AcousticBrainz was implemented like this: https://github.com/metabrainz/acousticbrainz-server/pull/181/files
Specific usernames are not important, we should just use them for internal accounting purposes. We can just have a single api_key table with 2 fields, name and key.

In MsB we don't need a public interface for adding/changing keys, as it's an internal service. We can have some methods in manage.py:

$ python manage.py adduser <username>
Added user <username> with key fd09209usdfijhflsdkjf09

$ python manage.py listusers
username fd09209usdfijhflsdkjf09
user2 of98345kijw0asldkjfkjh

$ python manage.py removeuser <username>
Removed user <username>

We don't have flask-login in messybrainz and probably don't need it. Instead, we can have a simple decorator which checks that the header for the format "Authentication: Token <token>"
If the header doesn't exist, raise HTTP 403
If the header does exist, check if the token is in the api_key table. If it isn't, raise HTTP 401. If it is, process the submission.

GET methods don't need to be protected for now.