The token_auth acts as your password and is used to authenticate in API requests. You can find the token_auth by logging in Piwik, then go the page “API” by clicking on the link in the top of the screen.
The token_auth is secret and should be handled very carefully: do not share it with anyone. Each Piwik user has a different token_auth. When a user changes its password, the token_auth will be regenerated automatically.