fix: use private helcimApiToken for all server-side Helcim API calls

server/utils/auth.js

@@ -44,6 +44,14 @@ export async function requireAuth(event) {
     })
   }
 
+  // Verify session has not been revoked (tokenVersion incremented on logout)
+  if (decoded.tv !== member.tokenVersion) {
+    throw createError({
+      statusCode: 401,
+      statusMessage: 'Session has been revoked'
+    })
+  }
+
   return member
 }