1015 rate limit errors despite no rate limiting set up - Access suspected as culprit

I strongly suspect this is something to do with Access, as that’s the change we’ve made.

We have moved from regular Firewall setup, where we allowed our test suite’s IPs to access a non-production URL, to Access, where testers have to log in manually, while the test suite uses a token to bypass Access (using CF-Access-Client-Id and CF-Access-Client-Secret headers).

The moment we switched to Access, our test suite no receives 1015 errors from Cloudflare almost immediately.

Rate limiting under Firewall/Tools is not even enabled at all.

Does Access product have some builtin rate limits, and how do we disable them?

Adding a screenshot of Access policies for the URL, basically login + token, where individuals use login, while the test suite uses token (the 2 headers in every request).

Have you already checked your firewall logs to see if there’s anything in there that shows the reason for why the rate limitation is happening?

It says the reason is worker. We only have 1 worker to inject some headers into every response, and we’re on a Bundled plan, which is not supposed to have daily or burst rate limits on workers.

It sounds like you’re hitting your worker from the same ip a lot in a small time frame, in that case a internal rate limit will trigger as part of Cloudflare’s abuse protection.

Cloudflare’s abuse protection methods do not affect well-intentioned traffic. However, if you send many thousands of requests per second from a small number of client IP addresses, you can inadvertently trigger Cloudflare’s abuse protection. If you expect to receive 1015 errors in response to traffic or expect your application to incur these errors, contact Cloudflare to increase your limit.

You can increase this limit by contacting support, as explained in the article I linked above.