That is correct, however both are not unique to SonarQube specifically:
- the token is: it’s defined in SonarQube, only makes sense for SonarQube considerations
- the username/password pair is not: imagine if you’re using LDAP integration, then credentials are not specific to SonarQube, they can let you in many other applications
Hence the very existence of tokens, as a security best practice (independently from SonarQube). It’s in fact recommended to use tokens for any external integration, as you can revoke them anytime if something bad happens (contrary to credentials, which you might use in other applications).