Argo Tunnel API Token usage

Logging in with cloudflared creates an API token with Argo Tunnel : Edit permission.
What is this token used for? I know it’s contained in the PEM file stored on the client, but if I Roll the key or delete the token I can still create, delete, run tunnels.
So what happens if I delete this API token? Why is it created?
The certificate in the PEM file is valid for 10 years. Maybe the API key is needed to renew the certificate when it’s close to expire?