JS challenge endless loop

Hello everybody, I’ve just enabled Cloudflare a day ago, my site is under DDoS attack, I enabled the “Under attack mode” and Cloudflare was successful in blocking most offending traffic.

But I have two issues:

1- Some users are complaining from endless JS challenge page, where they never get redirected to my server.

2- How do I disable JS Challenge for my API? I added a rule in Security > Firewall rules including the IPs I want to bypass.

When that did not seem to work for everyone, I added a page rule with a wildcard.

But still some clients are complaining about receiving Cloudflare challenge page for their API requests.

Please advise