HACS uses the GitHub API to gather information about all available and downloaded repositories. This API is rate limited to 60 requsets every hour for unauthenticated requests, which is not enough. So HACS needs to make authenticated requests to that API.
If you set up HACS in the Home Assistant UI, a OAuth token with no scopes which grants read-only access to public information (including user profile info, repository info, and gists), will be used.
If you set up HACS with YAML, you need to supply a Personal access tokens, you do not need to add any of the scopes when creating the token to limit the access grant to read-only access to public information (including user profile info, repository info, and gists).