When making direct API calls, the response times for the same call using different users can differ by 500ms. Access for both accounts is the same. Why is this?
The reason for this is in the preemptive authentication of requests.
If an API request is issued, there are different ways to authenticate a user. The easiest and hence most widely used approach is to send the username/password as part of the request.
If that is the case the server authenticates the request based on that information.
Since the El Presidente release, there is an improved security measure in place which hardens password storage to the newest standards, and this intentionally "eats up" 500 ms per every password verification (to calculate the hashes and by this make brute forcing attacks a lot less feasible). The password check in that case takes a few hundred ms, which is on purpose and a good thing for normal users.
The new password hash method is argon2; the old one was SHA-256.
Using the regular UI you will not notice this as this is only affecting the initial login. All subsequent requests carry a session token for authentication. But in a pure API integration scenario this may be different as these typically carry a full authentication header (with username/password) on every request, hence forcing the server into password hash calculation on every request.
Accounts created before the El Presidente release (which never changed their password) still use the hash method SHA-256.
To improve response times, in exceptional cases, you can consider switching to the old and weaker hash method. To do so, set the 'No Session' option in the user account settings to true and change the password.
This is a very weak workaround. Use it just in exceptional cases where anything else (like logging in once and using a session token) would not work.