The parent's experience which mirrors my own - on a clean residential IP that hasn't sent any traffic I hit that "rate-limit" on my first request to the commits list view.

So there is no rate-limit, it's a default deny for unauthenticated requests... which could be fine but at least update the error message to reflect that.