I noticed that the Swagger UI for OpalStack's OpenAPI isn't configured to Authenticate by just pasting in the API Token.
After clicking "Authorize" you have to write "Token", a space, then your token.
The OpenAPI spec itself isn't valid because of the
securityDefinitions.Bearer.bearerFormat - see the validation debug.
I guess everyone is aware that each token has full access to the account including the generated passwords in the
GET notice/list/ but a small warning when generating probably wouldn't be amiss.
Restricted scopes on the tokens would be nice too, but that's a much bigger feature request.