I believe the easiest way to do this is to overwrite the login action. You can find example code in the Mendix Login Guard AppStore module (the documentation also contains a link to a blog post explaining this).
Once you are in the Java action, you can call a microflow with the Core.execute() method. In this microflow, you call your API with the username and password the user has provided and store the token. You can then continue logging in the user from the Java action.
Finally, if all your application does is call APIs, you could also model your app for anonymous users. If the user wants to call an API, you ask for a username and password. You store the token in a non persistent entity attached to System.Session. For each subsequent call, you retrieve the token, and use that as input for the API call. You may not need to log in your users, if all information comes from an external system. Be careful with persistent entities in such a scenario and double check your security (e.g. with the SecurityInspector widget).