Yes, your api users/clients can log into the portal.. they can view API documentation/swagger for API products..
However, they do not view app tokens.. they create an app and can view the api key or client key /secret. The client key and secret can then be exchanged for a token that lives for some duration of time (as configured by you) if you’re using oauth for authentication for your APIs.
Client’s also do not revoke these tokens..