Another option is to provide restricted API keys that are associated with accounts in the server's database and are otherwise random numbers. An ordinary UUID can be used for this purpose quite well. The only requirements are that the API key / bearer token / whatever you want to call it be unpredictable and impossible to derive from the account.
You then simply put the bearer token in the script, and the server authorizes the request based on the token matching an account and also looks up which account based on the token. The token is not valid anywhere else, certainly not for logging in, and is usable only for this particular API GET endpoint.
In practice, this is how most Web-based logins work. Log in with username/password, receive a "session ID" cookie that is more-or-less what I just described except that it grants full access to the account instead of only one scriptable API endpoint.