Doing some unrelated testing last night (that involved different browsers, clearing caches etc.) I forgot myself and tripped the rate limit on com.atproto.server.createSession again.
Instead of saving the API refresh token to a PHP session variable I have swapped to using a file so that the token can be used across PHP sessions and there is less reason to create a new connection via the API.
