diff --git a/apps/api/api-auth/src/routes/auth.routes.ts b/apps/api/api-auth/src/routes/auth.routes.ts
index 9ad4558..23ff62e 100644
--- a/apps/api/api-auth/src/routes/auth.routes.ts
+++ b/apps/api/api-auth/src/routes/auth.routes.ts
@@ -1,12 +1,20 @@
+import rateLimit from 'express-rate-limit';
 import express from 'express';
 import { validateData } from '../middleware/validationMiddleware';
 import { register, login, verifyToken, protectedRoute } from '../controllers/AuthController';
 import { UserRegistrationSchema, UserLoginSchema } from '@shared-types';
 
+// Rate limiter for protected routes
+const protectedRouteLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // limit each IP to 100 requests per windowMs
+  message: 'Too many requests from this IP, please try again later.'
+});
+
 const router = express.Router();
 
 router.post('/register', validateData(UserRegistrationSchema), register);
 router.post('/login', validateData(UserLoginSchema), login);
-router.get('/protected', verifyToken, protectedRoute);
+router.get('/protected', protectedRouteLimiter, verifyToken, protectedRoute);
 
 export default router;
\ No newline at end of file
diff --git a/package.json b/package.json
index 77a8ab7..8ac9433 100644
--- a/package.json
+++ b/package.json
@@ -78,6 +78,7 @@
     "react-dom": "19.0.0",
     "react-router-dom": "6.29.0",
     "uuid": "^11.1.0",
-    "zod": "^4.0.17"
+    "zod": "^4.0.17",
+    "express-rate-limit": "^8.0.1"
   }
 }