We found undocumented solutions through the codebase.
According to code in apikey.py we can have MAAS CLI generate the token for another user, which solves our problem with managing tokens for users who may not have a valid token anymore
According to code in helpers.py#L256 we can authenticate and automatically create a token if no token is found, which solves our problem with if a user deletes their last token