Toshl API supports basic authentication with personal access tokens. Each token can be manually generated by the user and then copy-pasted into the application. During the process the token must be given the appropriate access rights it requires to work correctly. This part is not automated and must be performed by the user.
Personal tokens never expire, but can be revoked by the user at any time.
To make a basic auth request send the personal access token as the username and leave the password empty.
Note: Make sure the personal token is never leaked. Threat is as you would any other password.