We should add audit logging support for APIKey creation and deletion. API Keys, aka session tokens created on login, should be an auditable resource.

An audit log should be generated when a user successfully logs in or out, either via the web UI or via the CLI.

We don't have to worry about audit support for long-lived token creation; that will be handled in this ticket.

Assumption: we don't have to worry about the update of session tokens, even though the table has an updated_at column. Creation and deletion (login and logout) should suffice.