Thanks, I think I initially misunderstood your question.
Yes – at creation, the token needs to have Owner permissions (basically to confirm that it’s okay to bind SonarCloud to the organization). This can be demoted later. Take a look at this thread.