Unable to get private API key of sub_org user when authenticated with Email OTP

I know we can generate new API keys from the CLI, but I'm wondering what the best programmatic way to derive it if the user's suborg is authenticated with email