You need one superuser and another user that has only view access.
As expected you get an error:
You can't access this resource as it requires admin access for at least one website.
This isn't a security issue (as the superuser can of course always access the API), but it is counterintuitive in case you are testing the API and expecting Matomo to only respect the token_auth and not the session of the logged in user when a
token_auth is provided.