As a security measure, users should not be allowed to create or use personal API Tokens. All user authentication must go through MFA.