It has to do with back-ends. Tyk actually has pluggable AuthN / AuthZ service back-ends, by default these are both Redis, but since they are actually just an interface, they can be anything (for example we have a demo LDAP AuthN back-end).
Since one token can have access to multiple APIs, and those APIs can have different back-ends, when getting a token, we need to pull it from the correct back end, the configuration for which sits on the API Definition.
Convoluted, but flexible.
Hence having to pull tokens via an API route - even though it is not specific to that API. A way to handle this is to just grab a list of non-open APIs from your dashboard and use one of those as the base path.