settings will prefer, in order: -defaults -settings in config file -settings given as environmental variables -settings given as command line args
-user starts a httpauthsession with an api key and name -user initializes jsonrpc hmac secret to sha256 of session id -server sends new random hmac secret after each api call -a user without an authenticated session will get a authorization error
