Clarify that authorization is required only if the its feature flag is enabled

[martinscooper]

Currently, at the beginning of the REST API section of the documentation it says: All requests should also pass an authorization header with the Bearer token returned by the login endpoint. I think we shoud clarify that the authorization header is only needed if authorization is enabled on the backend. Authorization is enabled by providing a configuration file where login_required=true and a list of users.