Incorrect REST API credential prescience and incorrect error message wording
I was replaying some API requests from a few weeks ago, and oddly it appeared the api user/token headers were no longer being accepted.
It turns out a cookie (ZSession) had been set in my test tool (Postman) and it had expired. The valid API credential headers were ignored. This is a bug.
Additionally, the error message indicated that a valid login was needed - which was incorrect; it should have said something like "your cookie session is expired."