REST User blocked at login

After running some REST API calls on xwiki, the user is “blocked”, needs to login on the website and enter the captcha. Is this a bug or feature? Can this be turned off somehow as the REST user would only use the API and should never be blocked.
Thanks in advance.

What you describe looks like auth brute force protection: by default when an HTTP client fail to authenticate 3 times (in the case of the REST API it’s actually less if you are on XWiki < 13.4 because of https://jira.xwiki.org/browse/XWIKI-18532) it’s temporarily disabled and have to resolve a captcha.

You can disable this protection entirely in the admin, see https://extensions.xwiki.org/xwiki/bin/view/Extension/Authentication%20Security%20Module/#HConfiguration for more details.