diff --git a/src/app.ts b/src/app.ts
index 93de841..86c5660 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -1,5 +1,6 @@
 import Fastify from 'fastify';
 import cors from '@fastify/cors';
+import rateLimit from '@fastify/rate-limit';
 import prismaPlugin from './plugins/prisma.js';
 import errorHandlerPlugin from './plugins/error-handler.js';
 import authPlugin from './plugins/auth.js';
@@ -22,6 +23,11 @@ export async function buildApp() {
 
   // Plugins
   await app.register(cors, { origin: config.corsOrigin });
+  await app.register(rateLimit, {
+    global: true,
+    max: 100,
+    timeWindow: '1 minute',
+  });
   await app.register(errorHandlerPlugin);
   await app.register(prismaPlugin);
   await app.register(authPlugin);
diff --git a/src/routes/auth/meta.ts b/src/routes/auth/meta.ts
index d0c3028..b966aa8 100644
--- a/src/routes/auth/meta.ts
+++ b/src/routes/auth/meta.ts
@@ -9,6 +9,9 @@ import type { MetaCallbackBody, AuthTokensResponse } from '../../types/api.js';
 
 const metaAuthRoutes: FastifyPluginAsync = async (fastify) => {
   fastify.post<{ Body: MetaCallbackBody }>('/auth/meta/callback', {
+    config: {
+      rateLimit: { max: 10, timeWindow: '1 minute' },
+    },
     schema: {
       body: {
         type: 'object',
diff --git a/src/routes/auth/session.ts b/src/routes/auth/session.ts
index d773d4d..9ce18b4 100644
--- a/src/routes/auth/session.ts
+++ b/src/routes/auth/session.ts
@@ -10,6 +10,9 @@ import type { RefreshBody, AuthTokensResponse, UserProfileResponse } from '../..
 const sessionRoutes: FastifyPluginAsync = async (fastify) => {
   // POST /auth/refresh — rotate refresh token, issue new JWT
   fastify.post<{ Body: RefreshBody }>('/auth/refresh', {
+    config: {
+      rateLimit: { max: 10, timeWindow: '1 minute' },
+    },
     schema: {
       body: {
         type: 'object',