The api_token field in the response contains the auth token and is only shown once upon creation.

Token Format: ro:{account_index}:{single|all}:{expiry_unix}:{random_hex}

Access Rules:

Token created by account → access that account
Master account token with sub_account_access=true → access all sub-accounts
Master account token with sub_account_access=false → only master account
Sub-account token → only that sub-account

Usage (HTTP Header): Authorization: ro:6:all:1767139200:a1b2c3...

Usage (WebSocket): Include auth field in subscribe message: {"type": "subscribe", "channel": "account:6:tx", "auth": "ro:6:all:1767139200:a1b2c3..."}