I think this explains the use of API tokens fairly well:
https://www.chirpstack.io/application-server/api/
Specifically, they are long-lived and revocable. They are the current preferred way to interface programmatically with the API.
The /api/internal/login
endpoint provides an JWT token, which are shorter lived (24h by default, I believe) and are intended for use by the Application Server web UI. @brocaar has also made clear a couple times that the /internal
endpoints are subject to change if needed, and should not be depended on.