An API token is more secure than a password by virtue of it not needing to be typed in by a human. Phishing, writing down passwords, and the fact that API tokens can have restricted scopes all make them more secure.

Expiration on its own doesn’t make it more secure, but it can if it’s in the context of loading the token onto a system that you might lose track of/not have access to in the future.

Individual API tokens can also be revoked without revoking all of them, unlike a password where changing it means you have to re-login everywhere.

And that’s just the tip of the iceberg. Lmk if you have questions, though.