Read man openvpn. It is the definitive source of information about OpenVPN.
Let me just copy-paste a part of that page. I think this should completely answer your question:
--auth-token token
This is not an option to be used directly in any
configuration files, but rather push this option from a
--client-connect script or a --plugin which hooks into the
OPENVPN_PLUGIN_CLIENT_CONNECT or OPENVPN_PLUGIN_CLIENT_CONNECT_V2
calls. This option provides a possibility to replace the clients
password with an authentication token during the lifetime of the
OpenVPN client.
Whenever the connection is renegotiated and the --auth-user-pass-verify
script or --plugin making use of the
OPENVPN_PLUGIN_AUTH_USER_PASS_VERIFY hook is triggered, it will pass over
this token as the password instead of the password the user provided. The
authentication token can only be reset by a full reconnect where the server
can push new options to the client. The password the user entered is never
preserved once an authentication token have been set. If the OpenVPN server
side rejects the authentication token, the client will receive an
AUTH_FAIL and disconnect.
The purpose of this is to enable two factor authentication methods, such as
HOTP or TOTP, to be used without needing to retrieve a new OTP code each
time the connection is renegotiated. Another use case is to cache
authentication data on the client without needing to have the users
password cached in memory during the life time of the session.
To make use of this feature, the --client-connect script or --plugin
needs to put
push "auth-token UNIQUE_TOKEN_VALUE"
into the file/buffer for dynamic configuration data. This will then make
the OpenVPN server to push this value to the client, which replaces the
local password with the UNIQUE_TOKEN_VALUE.
