OK this is a bit ridiculous. The FAQ does not specify how to use the API beyond listing a json parameter. If you send a curl command with that parameter the first search just returns "Logged In", and run another search and then you're temporarily IP banned site wide.
Having hair trigger sensitive security around API while not telling the user what the request should look like to not trigger that is just silly.
OK bit more trial and error later I worked out a curl command that doesn't trip this.
https://pastebin.com/BNRBfYFf
Still not entirely sure what about the original request trigger it. Think it was something around the Sec-Fetch-* headers that copying a request from browser via copy cURL included