Auth Rate Limiting

Auth Endpoint Rate Limiting

Per-route rate limits applied to all public authentication endpoints, layered on top of the existing global rate limit.

Covers login, TOTP verification, token refresh, registration, password reset, and email verification — all keyed by IP address. Exceeding the limit returns 429 Too Many Requests with a Retry-After header.

Existing account lockout on repeated failed passwords remains as a second layer of defence.