During cluster join, we poll the replica to find out when it succesfully joined the cluster.
This means we're running requests with the replica's original credentials, but the replica will at some point have replicated the master's database, so if the rest service is running on the replica at that point, it might start returning a 401.
We must make sure 401 aren't encountered, because that might hit brute-force protection lockdowns. Instead, we must make sure the REST service is stopped before the database replication is established.
Minor correction, but in our case the credentials for master and replica are the same. What we see is the user not existing in the database at all when the 401s are returned. But your suggested fix sounds good and should cover both cases anyway.