An Authtoken is a read-write token used to make authorized CMA requests, but it is a user-specific token. This means that your personal user details are attached to every API request that you make using the authtoken. So, if a person were to obtain access to your authtoken, and knows the Stack API key, this person would be able to make API requests that appeared to be coming from you.
Management Tokens, on the other hand, are stack-level tokens, with no users attached to them. They can do everything that authtokens can do (with a few exceptions). Since they are not personal tokens, no role-specific permissions are applicable to them. It is recommended to use these tokens for automation scripts, third-party app integrations, and for Single Sign On (SSO)-enabled organizations.
Note: Only the owner or admin of a stack can create management tokens.