diff --git a/functions/api/index.js b/functions/api/index.js
index 3ebe920b9..ed0b9985b 100644
--- a/functions/api/index.js
+++ b/functions/api/index.js
@@ -1,6 +1,7 @@
 import functions from 'firebase-functions';
 
 import express from 'express';
+import rateLimit from 'express-rate-limit';
 import cors from 'cors';
 import morgan from 'morgan';
 
@@ -12,9 +13,16 @@ import kpiRoutes from './routes/kpi.js';
 import statusRoutes from './routes/status.js';
 import userRoutes from './routes/user.js';
 
+const apiLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // max 100 requests per window
+  message: 'Too many requests, please try again later.',
+});
+
 const app = express();
 
 app.use(cors());
+app.use(apiLimiter);
 app.use(express.json());
 app.use(morgan('combined'));