While implementing this, I realized that I made a mistake when
implementing the Create endpoint - I returned a `group_id` instead of
the `group_name` that frontend had requested to get back from the List
endpoint. I think for consistency's sake it's best to return
`group_name` from both endpoints.

To achieve this, I added a hydration method to the ApiKey. It adds the
name of a single group to each ApiKey, preferring group names that
aren't "All Users".

Beyond that, the 3 new endpoints are pretty straightforward. All are
audit logged, and I added audit logging to creation as well.

Note that the API Key prefix is audit logged. I don't think this should
be a problem - we can think of the prefix as the "public" portion of the
key, like a username.