How does 2 factor work for API access in salesforce? If enabled, how will API generate new tokens every time it expires, unlike humans who can look at authenticator app and add it to password. Documentation (https://help.salesforce.com/HTViewHelpDoc?id=security_require_2fa_api.htm&language=en_US) is not clear.

Also somewhere I read that in advanced user profile you can add a token in Time-Based Token field , but I dont see Add link in user profile , only remove link.  I was assuming that if we add the token in API user one time (from authenticator app_ ,we could use this in API calls.