How do I allow customers to change their passwords without an API token?

I am reading through the Okta API for change password and shows that the call requires an Authorization header with a valid API token.

Is there a way for our application to make an API call allowing users to change their own password without needing an API token?

I would have thought that end users wouldn’t need an API token from an Okta Admin in order to make an API call like this, but maybe I’m not thinking of something. If it is required, can anyone tell me the least-privileged Admin level that is needed for this API token to make this corresponding call?

You can use bearer token instead of API token.
Please refer the example in this discussion thread.

To implement this, you need to have “OAuth 2.0 Consent for API Access Management” feature.
If you don’t have the feature enabled, please feel free to send an email to and request OAUTH2_FOR_OKTA_API feature.

Also, for the API token access issue, you can refer the doc here: manage access level for API token.
You need a super admin to manage the access level.