I strongly suspect this is something to do with Access, as that’s the change we’ve made.
We have moved from regular Firewall setup, where we allowed our test suite’s IPs to access a non-production URL, to Access, where testers have to log in manually, while the test suite uses a token to bypass Access (using CF-Access-Client-Id and CF-Access-Client-Secret headers).
The moment we switched to Access, our test suite no receives 1015 errors from Cloudflare almost immediately.
Rate limiting under Firewall/Tools is not even enabled at all.
Does Access product have some builtin rate limits, and how do we disable them?