Yes. You need to use a first flow that will let user login with their email/password and return an API token. And you can use it after to run another API workflow on behalf of this user.
Second paragraph
