The Authn API doesn't require an api token. You will have to add the domain to the CORS list in Okta. Take a look at http://developer.okta.com/docs/api/resources/authn.html for more information about the Authn API.
API Token permisisons are tied to the admin who created them. If a super user created the token, the token will have super user permissions. If a read only admin created a token, the token will have read only premissons.