Ok, so it's not something gluu provides out of the box.
I have walked through docs and didn't find an API to get all user's tokens (it's required to allow a user to manage tokens).
So, as a workaround, I imagine a following way to achieve the desired feature:
1. Instead of a new Personal Access Token, create a new "sub" user with a group related to the original user (e.g. user1_token_user_group).
2. So, the original user will be able to fetch users filtered by the related group, so the fetched "sub" users might be considered as tokens instead.
3. When a "sub" user is created, show it's access token that is generated for a selected lifetime. There will be no way to generate access token again.
4. To revoke a Personal Access Token we actually need to remove a "sub" user.
5. I will need to check each user if it belongs to "token_user_group" and use username of the original user instead.
It seems to be achievable with gluu, but would be nice to have it out of the box
Thank you for reply.