logins: don't return api_token field in API.

Remove the api_token field from the response to the login action (POST
/sessions). This doesn't make sense in the presence of multiple API
keys, and is also not generally useful; if you need an API key, create
one yourself and write it down.

CHANGELOG.md

@@ -14,6 +14,8 @@
   you're highly encouraged to restrict your API keys to limit damage in case
   they get leaked or stolen.
 
+* The login action (POST /sessions) no longer returns the api_token field.
+
 ## 2021-02-05
 
 ### Changes