docs: add API rate limiting and authentication guides

[devin-ai-integration]

Summary

Adds two new documentation pages under a new API section:

• api/rate-limiting.md — Comprehensive rate limiting guide covering how rate limits work, rate limit headers, a table of endpoint-specific limits, code examples (Python & JavaScript) for handling 429 responses with retry logic and proactive rate management, and best practices.
• api/authentication.md — API key authentication guide (per-bot scoped keys, usage examples, scopes table), full OAuth 2.0 Authorization Code flow documentation (registration, 4-step flow with code snippets, token refresh, token revocation, endpoints reference table), webhook signature verification with HMAC-SHA256 (Python & Node.js examples), and security best practices.
• SUMMARY.md updated to include a new "API" section in the sidebar navigation linking to both pages.

Both pages follow the existing GitBook conventions (frontmatter descriptions, {% hint %} blocks, markdown tables, fenced code blocks).

Review & Testing Checklist for Human

• Verify the new pages render correctly in GitBook (tables, code blocks, hint blocks)
• Review the rate limit values in the endpoint table — these are illustrative and should be updated to match actual API limits if they differ
• Check that the API endpoint URLs (api.poketwo.net, poketwo.net/oauth/*, poketwo.net/developers) are correct or update them to the real endpoints
• Confirm the OAuth scopes and API key scopes listed match the actual API capabilities
• Verify webhook signature verification code examples use the correct header name (X-Signature-256) and HMAC algorithm

Notes

• No build/lint tools exist in this repo (pure GitBook markdown), so there are no CI checks to run locally.
• The API URLs and rate limit numbers are illustrative — they should be reviewed against the actual API implementation.
• API keys are documented as scoped per-bot, per reviewer feedback.
• Added OAuth endpoints reference table, token revocation endpoint, and webhook signature verification section per reviewer feedback.

Link to Devin session: https://app.devin.ai/sessions/e118eb3f5ca94ab0b2aa1842494aa7b4

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment, CI, and merge conflict monitoring

[devin-ai-integration]

@oliver-ni Good catch — the rate limit numbers in the endpoint table are illustrative placeholders, not sourced from an actual API specification. They should be updated to reflect the real API limits once those are confirmed. This is noted in the PR description as well.

[devin-ai-integration]

@oliver-ni Addressing your feedback:

1. Per-bot API key scoping — Will update the API Keys section to clarify that keys are scoped per-bot.
2. OAuth endpoints — Will flesh out the OAuth section with more concrete endpoint details.
3. Webhook signatures — Will add a new section on webhook signature verification with HMAC validation examples.

Pushing updates now.