I can see why this api should be limited, but it seems (from the outside, I'm sure maybe there are other reasons) like if the credentials are correct, it shouldn't count against the limit. Only limit if the attempts are bad (someone is fishing).
J.D.