diff --git a/package.json b/package.json
index 1d14d65e..a27e70c9 100644
--- a/package.json
+++ b/package.json
@@ -58,6 +58,7 @@
     "cors": "^2.8.5",
     "dotenv": "^8.2.0",
     "express": "^4.17.1",
+    "express-rate-limit": "^5.1.3",
     "fs-extra": "^9.0.1",
     "heic2any": "0.0.3",
     "isomorphic-fetch": "^3.0.0",
diff --git a/server.js b/server.js
index edd5a25b..81848b29 100644
--- a/server.js
+++ b/server.js
@@ -12,6 +12,7 @@ import * as Strings from "~/common/strings";
 
 import ApiV1GetSlateObjects from "~/pages/api/v1/get-slate-objects";
 
+import limit from "express-rate-limit";
 import express from "express";
 import next from "next";
 import compression from "compression";
@@ -24,6 +25,18 @@ const app = next({
   quiet: false,
 });
 
+const createLimiter = limit({
+  windowMs: 10 * 60 * 1000, // 10 minutes
+  max: 5,
+  message: { decorator: "RATE_LIMITED", error: true, message: "You have made too many requests." },
+});
+
+const loginLimiter = limit({
+  windowMs: 10 * 60 * 1000, // 10 minutes
+  max: 5,
+  message: { decorator: "RATE_LIMITED", error: true, message: "You have made too many requests." },
+});
+
 const handler = app.getRequestHandler();
 
 const EXTERNAL_RESOURCES = {
@@ -58,6 +71,14 @@ app.prepare().then(async () => {
     return await ApiV1GetSlateObjects(r, s);
   });
 
+  server.all("/api/users/create", createLimiter, async (r, s, next) => {
+    return handler(r, s, r.url);
+  });
+
+  server.all("/api/sign-in", loginLimiter, async (r, s, next) => {
+    return handler(r, s, r.url);
+  });
+
   server.all("/api/:a", async (r, s, next) => {
     return handler(r, s, r.url);
   });