You need one superuser and another user that has only view access.
As expected you get an error:
You can't access this resource as it requires admin access for at least one website.
This isn't a security issue (as the superuser can of course always access the API), but it is counterintuitive in case you are testing the API and expecting Matomo to only respect the token_auth and not the session of the logged in user when a
token_auth is provided.
Update: Found a Matomo instance that was stil using 3.6.1 and it was working fine there.
https://github.com/matomo-org/matomo/pull/13554 was the only change that affects sessions, so I guess it has caused the bug.
@Findus23 I've tried to reproduce this in latest 3.x-dev and couldn't reproduce it. Not sure if it was indirectly fixed or maybe try to disable all third party plugins to see if it still happens?
@tsteur I can't reproduce it any more on the same Matomo instance on 3.8.0-b5, so either it was an odd cache error or got fixed in the meantime.