If an automatic login to a private (read denied) is attempted twice, the first action will raise NoUsername, but the second login will raise APIError.
I'm currently guessing but it does sort of make sense. The second APIError happens probably because after the first failed login the API knows that login doesn't work and doesn't attempt to login but just reraises the possible APIError caught in the first attempt.
Judging by the associated patch, this was related to the "sysopnames" feature of bot logins, which we have since deprecated and removed (see T71283). I am going to mark it as Invalid given how much the code has moved forward since this task was created. Can always be reopened if the issue still matters.
I can see only a little sysopnames connection here or in the patch. The whole point is resetting the login status on failure, which is a clever idea. But anyway issues like these are still present, but the output changed since then drastically so it would be hard to recognize the newly occuring issue is a dupe of this one.