You can do either. It connects via OAuth. So the most commonly adopted strategy is to have a service account be authenticated and then that record in Essentials is shared with the users you’d like to open access for them to deploy to that org. They CANNOT login with that token. It is just used to deploy change to/from the org.