With long-running Zabbix API applications your auth token may time out.
Re-calling the user.login function with this stale auth token, will result in a Denied.

Documentation says that auth is not required to call user.login. Should be updated to say that auth should not be set when calling user.login, otherwise, it should be permissible to call user.login with invalid auth token.