AWS Waf BotControl Token Absent even with token?

Question

Refer to pictures above. My users are facing problem sometimes even when token exists and is sent along as header. This is an ajax request, and I made sure that it will getToken() first, then proceed with ajax on return of the promise. Why will bot still issue a challenge (which basically kills an ajax) in this case, despite that the token is not absent? Recently I've implemented AWS Waf + enabled Bot Control, and my users are having difficulties using the sites sometimes (random). Sometimes they can't load the page until they refresh, sometimes ajax dies, even when getToken() is used.

I've already included the challenge.js script that was provided by AWS WAF's Application Integration, which will also get/re-get the token on load of page + while browsing.

Thanks

Answer 1

Found out the reason, the checking for "TGT_VolumetricIpTokenAbsent" is not based on request, but total request (of 5 or more) from a client (IP) in the last 5 minutes.

So it was the other calls/api that triggered the threshold, but the rules was matched on a request with a token, which was possible, as mentioned in the doc (https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html).