API access indeed requires a PAT to be defined when authenticating with HumanUser credentials. Using API Use, a Script Name and API Key suffice.
It all depends on the type of work done… users interacting with the application, or a service synchronizing data.
This post describe how you can check that your PAT is indeed used, while still being in dual login mode: When do I create a PAT before or after ShotGrid Migration - #7 by patrick-hubert-adsk
Hoping this helps,
-Patrick