There is also the option of using the OAUTH API and leveraging a lot of work already done around security. Haven’t dug too deep into it, but I believe toolkit already has some abstractions for making it easier (unless you are using the REST api, in which case see the link above).
This way the users would log in with a standard Autodesk dialog, and you would receive an auth token that expires, etc.
It does have a learning curve, but would be more robust than rolling your own solution.
tbh I don’t see great cases for using PAT. Might be wrong, though.