Hi Salvatore,
You need to create Personal Access Token with necessary scopes and user level to access API. If you go with API token, they may not be able to access all api. Refer this thread.
the API token with client credential grant type does not have a user linked to it. This type of token will not be able to call all the IDN REST endpoints. For example, the role revocation API end point /v3/access-requests will give a forbidden error while using the client credential as this end point excepts the call only from a valid user which makes sense from a audit and security standpoint.
The PAT token on the other hand is also of client credential grant type but associated to a user. The PAT associates the user that created the PAT to the generated access tokens, giving those tokens the same user level as the user that created it. So if you are an Admin user and you generate a PAT with `sp:scopes:all` , your PAT can access **almost** every API endpoint.
Thanks