diff --git a/backend-api/src/api/main.py b/backend-api/src/api/main.py
index 21ccdb6..0c922da 100644
--- a/backend-api/src/api/main.py
+++ b/backend-api/src/api/main.py
@@ -10,6 +10,7 @@
 from fastapi import FastAPI, Request
 from fastapi.responses import JSONResponse
 from slowapi.errors import RateLimitExceeded
+from slowapi.middleware import SlowAPIMiddleware
 from starlette.middleware import Middleware
 from starlette.middleware.cors import CORSMiddleware
 
@@ -140,6 +141,7 @@ async def lifespan(app: FastAPI) -> AsyncIterator[None]:
 
 def create_app() -> FastAPI:
     middleware = [
+        Middleware(SlowAPIMiddleware),
         Middleware(
             CORSMiddleware,  # ty:ignore[invalid-argument-type]
             allow_origins=["*"] if settings.debug else [],
diff --git a/backend-api/src/api/rate_limit.py b/backend-api/src/api/rate_limit.py
index e8d769e..0fb8515 100644
--- a/backend-api/src/api/rate_limit.py
+++ b/backend-api/src/api/rate_limit.py
@@ -19,13 +19,18 @@ def _get_connecting_ip(request: Request) -> str:
     return request.client.host if request.client else "unknown"
 
 
-limiter = Limiter(key_func=_get_connecting_ip, default_limits=[], storage_uri="memory://")
-
 SEARCH_LIMIT = "15/minute;100/hour"
 ADMIN_LIMIT = "30/minute"
 # limit across all clients, prevent dos
 GLOBAL_LIMIT = "200/minute"
 
+limiter = Limiter(
+    key_func=_get_connecting_ip,
+    default_limits=[],
+    application_limits=[GLOBAL_LIMIT],
+    storage_uri="memory://",
+)
+
 
 def rate_limit_exceeded_handler(_request: Request, exc: RateLimitExceeded) -> JSONResponse:
     return JSONResponse(