https://hatch.pypa.io/latest/publish/#authentication mainly discusses user+password auth.
Last week I used user+password auth to publish a project, and got this email from pypi:

... However, your account has two-factor authentication (2FA) enabled. In the near future, PyPI will begin prohibiting uploads using basic authentication for accounts with two-factor authentication enabled. Instead, we will require API tokens to be used.

I guess the Hatch documentation could use a bit of finetuning to cover API tokens better, because now it just mentions it as a recommendation for automated releases:

For automated releasing to PyPI, it is recommended that you use per-project API tokens.

Also relevant here: when one creates an API token, one has to pick the token's scope (all projects or an individual project). So that means that a developer might ends up with multiple "token passwords" (one for each projecct), which might not play well with the user/password caching mechanism described in the authentication docs.