There are two types of tokens that can be obtained via the API for actions like this. The first is a "sessionToken", and that is generated by successfully authenticating against the Primary Authentication endpoint using the API.
The second type is a stateToken, which is what would be used for password resets. If the primary authentication attempt puts you into a secondary state (such as multi-factor authentication challenge or password expired), this is when you will receive a stateToken, but no sessionToken. You can then use the stateToken to reset the password.