[thijsvandien]

It was my impression that the token is obtained by supplying username and password to a login API, through which it can also be replaced when it expires. Now it seems that I was wrong. How do you suggest the token be managed?

[tptacek]

You can do that, or you can just have a page in the application where the user manually fetches a new API token, which is a pretty common UX for this.