@SorinGFS API Tokens are an entirely different beast than those tokens used in banking. What I am referring to is similar to say GitHub Personal Access Token.
These are not JWT and generally do not expire unless manually revoked. (Though you could automate it). And should only ever be between to known and secured services and should never be user facing. Typically this would be between two services running in your backend, it’s also quite common between static site builders such as Gatsby, Nuxt.js, and Next.js where the token never leaves the control of the server administrators.
What you are referring to are effectively JWTs or client side tokens.