Disable 2FA for Private Application access

Hi,

I am developing a private application for a client.

Their staff have 2FA enforced due to being connected to Xero, can they still use the private application with the Basic bearer token? or is there a way to disable 2FA and restrict access for a sudo staff member to have API access only?