Fix critical auth: send access-token header instead of Authorization: Bearer

[pimfeltkamp]

Summary

Critical bug: every authenticated request currently fails. The transport sends Authorization: Bearer <token>, which the AWS API Gateway in front of api.cryptohopper.com/v1/* rejects (405 Missing Authentication Token).

Cryptohopper's Public API v1 uses access-token: <token>. Switching the SDK to send that.

Confirmation

• Live API docs: https://www.cryptohopper.com/api-documentation/how-the-api-works — "access-token - Your access token received with the Oauth2 authentication"
• cryptohopper-ios-sdk and cryptohopper-android-sdk both send access-token for v1 calls
• code-samples/curl/README.md — -H "access-token: [ACCESS TOKEN]"

Changes

• src/cryptohopper/_client.py:204 — header name change with explanatory comment
• tests/test_client.py:24 — assertion updated; verified locally with a fresh pip install -e .
• CHANGELOG.md — 0.4.0a2 entry under "Fixed"
• _version.py + pyproject.toml bumped to 0.4.0a2

Compatibility

No public-API change. Same caller-facing surface; only the wire-level header changes.

Test plan

• pytest — 60/60 pass
• (manual) CRYPTOHOPPER_TOKEN=<real> python -c "from cryptohopper import CryptohopperClient; print(CryptohopperClient(api_key=...).user.get())" should now succeed where it would have 405'd

Cross-reference

Tracking: cryptohopper-resources#9. Sister PRs landing for Node/Go/Ruby/Rust/PHP/Dart/Swift in this same iter.

[pimfeltkamp]

Pushed a small follow-up commit (Drop ... README claim ...) that strikes the matching (public, no auth) / (public — no auth required) claim from the README. Same bug surface as this PR — the auth fix establishes that every endpoint requires a real token, so the README label was misleading. No re-review needed beyond skimming the +1/-1 (or +2/-2) README diff.