If you want strict API-key-only auth later, put a reverse proxy in front and inject X-API-Key server-side for same-origin traffic.

Strict API-key-only means every request to /api/* must carry X-API-Key, including browser-originated ones.
Problem: you should not expose your real API_KEY in frontend JavaScript, because users can read it in DevTools.
So the pattern is:
Browser calls your app normally (no API key in JS).
Reverse proxy (Nginx/Traefik/Caddy) receives same-origin requests.
Proxy adds X-API-Key: <secret from server env> before forwarding to Next.js.
Next.js middleware enforces API key for all routes.
This keeps the key server-side only, while still making all backend routes protected.
Minimal Nginx example:
location /api/ {
  proxy_pass http://candle-annotator:3000;
  proxy_set_header X-API-Key $api_key_secret;
}
Then in Next.js middleware you can remove the same-origin bypass and require the key always.