Ewa from FreeAgent Engineering here again — thanks a lot of your patience with this query; I’ll admit it got me digging deep behind the scenes to get an answer for you! You’re absolutely right in thinking there have been no recent changes to our API rate limits. The limits we have documented here are measured per user (which we define as a combination of the same ip/user/company subdomain), however in addition to these we do have an additional rate limit based on IP address which is capped on 1000 requests per minute. This is implemented mostly to protect our API from bad actors, however in very rare cases it might get triggered if several integration users make a high number of requests to our API from the same IP address, which — as unlikely as it might seem — is what happened in this case.
I hope this helps to clarify things a little, though please do let me know if there’s anything else you’d like to know regarding this.