At the moment, we do not provide information to administrators regarding the scope of the api tokens created by their managed accounts. This can be very confusing specially in cases where the API token is blocked by authentication policies, yet there is an exception for Bitbucket scope. 

Suggestion

• Log the scope of the API token created in org audit log
• In Managed account profile, specify the scope of a token
• In "Users API token" administration, specify the scope in the UI and the CSV export.

Workaround

• User Org administration API call to get more details on the scope of an API token