Touch up `pelican api-key` token creation API

[jhiemstrawisc]

Some notes from William's testing of the features introduced in #2958.

I’m able to generate something that the CLI tool says is a key, but there’s no documentation for how I use it.

Additionally, the CLI --help section doesn’t state that the --expiration and --server flags are required.

It would also be helpful if I could find an exhaustive list of possible scopes somewhere and if the CLI tool would give an example of a timestamp in the required RFC3339 format for non-Dew drinkers.

[brianhlin]

A few other items:

1. It appears that --expiration 'never' does not work:

# pelican-server apikey generate --scopes "monitoring.query" --expiration 'never'
Logging.LogLocation is set to /var/log/pelican/pelican.log. All logs are redirected to the log file.
Error: expiration must be in RFC3339 format (e.g., 2025-12-31T23:59:59Z) or 'never': parsing time "never" as "2006-01-02T15:04:05Z07:00": cannot parse "never" as "2006"

2. RFC3339 is kind of annoying. It'd be nice if I could just specify ISO 8601 and the tooling assumes midnight

3. It doesn't seem to actually fully align with RFC3339 (can't specify the time zone):

 # pelican-server apikey generate --scopes "monitoring.query" --expiration '2026-06-30T09:00:00Z-05:00'
Logging.LogLocation is set to /var/log/pelican/pelican.log. All logs are redirected to the log file.
Error: expiration must be in RFC3339 format (e.g., 2025-12-31T23:59:59Z) or 'never': parsing time "2026-06-30T09:00:00Z-05:00": extra text: "-05:00"

4. Update the monitoring documentation here to use the API key: https://docs.pelicanplatform.org/monitoring-pelican-services/grafana#configure-authentication