The attempt appears to be to rate limit. The acquisition of access tokens is meant to be rate limited.

Similar logic to SMS verification, but actually private.