Jenkins Authentication requires user:api_token
The job token is a separate requirement only if you configured a job token on your specific jenkins job.
I gathered this information from this source: https://issues.jenkins-ci.org/browse/JENKINS-17764
"Daniel Beck added a comment - 2017-09-12 06:26
Token-based build triggering is a legacy option that has been deprecated years ago (just the docs haven't been kept up to date).
It made sense in a time when Jenkins allowed anyone Read access to anything, but only authenticated users were able to trigger builds.
With more complex security realms, that can limit Read access for some users, this scheme no longer works, as access to the entire /job/whatever/ URL space can be prohibited. This is pretty deep inside Jenkins, and there's nothing the authorization plugin can (or should) do.
If you need to trigger builds this way, you need to authenticate with Jenkins with a user that has read access (Build permission not necessary, but really, what do you gain then?), or use the Build Token Root Plugin, which implements its own URL scheme and permission control and is not subject to the usual URL hierarchy permissions scheme in Jenkins."
,This is a requirement of "Trigger Builds Remotely" in Jenkins.
There is no option for api token only without user since they are linked, that I am aware of.
The job authentication token is an additional token needed along with user:apitoken if you configured one on the particular jenkins job.
You always need a user:apitoken.