diff --git a/api/package-lock.json b/api/package-lock.json
index 5c8ffea9..02e5ceee 100644
--- a/api/package-lock.json
+++ b/api/package-lock.json
@@ -14,6 +14,7 @@
         "@escape.tech/graphql-armor": "^2.2.0",
         "@fastify/cookie": "^8.3.0",
         "@fastify/cors": "^8.2.1",
+        "@fastify/rate-limit": "^8.0.1",
         "@pothos/core": "^3.29.0",
         "@pothos/plugin-dataloader": "^3.17.1",
         "@pothos/plugin-errors": "^3.11.0",
@@ -2343,6 +2344,16 @@
         "fast-json-stringify": "^5.7.0"
       }
     },
+    "node_modules/@fastify/rate-limit": {
+      "version": "8.0.1",
+      "resolved": "https://registry.npmjs.org/@fastify/rate-limit/-/rate-limit-8.0.1.tgz",
+      "integrity": "sha512-sKztox9tAhKYJadS7yD7mBamNs8sLP/OlBjX6prGzlL3+q4cxPE2UafW8QF5s4+BuUyssQ7FabSlgieqyk4JZg==",
+      "dependencies": {
+        "fastify-plugin": "^4.0.0",
+        "ms": "^2.1.3",
+        "tiny-lru": "^11.0.0"
+      }
+    },
     "node_modules/@graphql-codegen/add": {
       "version": "5.0.0",
       "resolved": "https://registry.npmjs.org/@graphql-codegen/add/-/add-5.0.0.tgz",
@@ -15257,6 +15268,16 @@
         "fast-json-stringify": "^5.7.0"
       }
     },
+    "@fastify/rate-limit": {
+      "version": "8.0.1",
+      "resolved": "https://registry.npmjs.org/@fastify/rate-limit/-/rate-limit-8.0.1.tgz",
+      "integrity": "sha512-sKztox9tAhKYJadS7yD7mBamNs8sLP/OlBjX6prGzlL3+q4cxPE2UafW8QF5s4+BuUyssQ7FabSlgieqyk4JZg==",
+      "requires": {
+        "fastify-plugin": "^4.0.0",
+        "ms": "^2.1.3",
+        "tiny-lru": "^11.0.0"
+      }
+    },
     "@graphql-codegen/add": {
       "version": "5.0.0",
       "resolved": "https://registry.npmjs.org/@graphql-codegen/add/-/add-5.0.0.tgz",
diff --git a/api/package.json b/api/package.json
index d408fdfd..a3068f84 100644
--- a/api/package.json
+++ b/api/package.json
@@ -29,6 +29,7 @@
     "@escape.tech/graphql-armor": "^2.2.0",
     "@fastify/cookie": "^8.3.0",
     "@fastify/cors": "^8.2.1",
+    "@fastify/rate-limit": "^8.0.1",
     "@pothos/core": "^3.29.0",
     "@pothos/plugin-dataloader": "^3.17.1",
     "@pothos/plugin-errors": "^3.11.0",
diff --git a/api/src/lib/fastify.ts b/api/src/lib/fastify.ts
index 8fae2626..c30e67ea 100644
--- a/api/src/lib/fastify.ts
+++ b/api/src/lib/fastify.ts
@@ -1,5 +1,6 @@
 import cookie, { type FastifyCookieOptions } from '@fastify/cookie'
 import cors from '@fastify/cors'
+import rateLimit from '@fastify/rate-limit'
 import fastify, { type FastifyServerOptions } from 'fastify'
 
 import { config } from '@/config'
@@ -31,3 +32,8 @@ await app.register(cors, {
   credentials: true,
   origin: [config.webapp.url],
 })
+
+await app.register(rateLimit, {
+  max: 100,
+  timeWindow: '1 minute',
+})