I can say the official Atlassian answer is that we wish Apps would use OAuth instead of API Tokens. In the developer guide on auth options and tradeoffs, a significant note is “OAuth 2.0 (3LO) is currently not available for Jira Software.” That means simple things about issues are fine (covered by the Jira Platform but things like boards, sprints, and epics are not. Reading the guide, you might think that’s the one exception but threads here in the developer community indicate OAuth coverage is spotty. For example, a recent thread reveals attachments are not covered (although the thread focuses on Confluence, I’m pretty sure the underlying “media service” is shared by Jira and thus a blocker there too).
All that to say that I would flip the question around. Given our intent to favor OAuth, please let us know if you are building an App and can’t find any option better than API Tokens.