The admin matrix does not make it clear what permissions an account needs to use the Factors API.
We have a use case where a third-party application will challenge a user’s MFA and validate the response before allowing them access to internal resources. We have validated that the use case works when using a API token created by a super user account, but we want to use the least permissive API token permission set possible.