diff --git a/backend/package-lock.json b/backend/package-lock.json
index 54dbbc5..a8bc557 100644
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -16,6 +16,7 @@
         "depcheck": "^1.4.7",
         "dotenv": "^16.4.5",
         "express": "^4.21.1",
+        "express-rate-limit": "^7.4.1",
         "jsonwebtoken": "^9.0.2",
         "mongoose": "^8.7.0",
         "node": "^22.8.0",
@@ -1150,6 +1151,21 @@
         "node": ">= 0.10.0"
       }
     },
+    "node_modules/express-rate-limit": {
+      "version": "7.4.1",
+      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-7.4.1.tgz",
+      "integrity": "sha512-KS3efpnpIDVIXopMc65EMbWbUht7qvTCdtCR2dD/IZmi9MIkopYESwyRqLgv8Pfu589+KqDqOdzJWW7AHoACeg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 16"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/express-rate-limit"
+      },
+      "peerDependencies": {
+        "express": "4 || 5 || ^5.0.0-beta.1"
+      }
+    },
     "node_modules/express/node_modules/cookie": {
       "version": "0.7.1",
       "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.1.tgz",
diff --git a/backend/package.json b/backend/package.json
index 7004140..d201d0b 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -11,6 +11,7 @@
     "depcheck": "^1.4.7",
     "dotenv": "^16.4.5",
     "express": "^4.21.1",
+    "express-rate-limit": "^7.4.1",
     "jsonwebtoken": "^9.0.2",
     "mongoose": "^8.7.0",
     "node": "^22.8.0",
diff --git a/backend/routes/authRoutes.js b/backend/routes/authRoutes.js
index d1f7bca..8f17bc1 100644
--- a/backend/routes/authRoutes.js
+++ b/backend/routes/authRoutes.js
@@ -1,4 +1,5 @@
 import express from "express";
+import rateLimit from "express-rate-limit";
 import {
   registerUser,
   loginUser,
@@ -14,30 +15,37 @@ import { submitFeedback } from "../controllers/submitFeedback.js";
 
 const router = express.Router();
 
+const loginLimiter = rateLimit({
+  windowMs: 5 * 60 * 1000, // 55 minutes
+  max: 5, // Limit each IP to 5 requests per windowMs
+  message: "Too many login attempts from this IP, please try again later.",
+});
+
 // Register route
 router.post("/register", registerUser);
 
-// Login route
-router.post("/login", loginUser);
+// Login route with rate limiter
+router.post("/login", loginLimiter, loginUser);
 
 // Logout route
 router.post("/logout", verifyJWT, logoutUser);
 
 // Verify route
 router.get("/verify", verifyUser);
+ 
+// Feedback route
+router.post("/feedback", verifyJWT, submitFeedback);
 
-router.post("/feedback" , verifyJWT, submitFeedback)
-
-//cloakroom bookings route
+// Cloakroom bookings route
 router.post("/bookCloakroom", verifyJWT, createCloakroomBooking);
 
-//wheelchair bookings route
+// Wheelchair bookings route
 router.post("/bookWheelchair", verifyJWT, createWheelchairBooking);
 
-//coolie bookings route
+// Coolie bookings route
 router.post("/bookCoolie", verifyJWT, createCoolieBooking);
 
-// get all stations route
+// Get all stations route
 router.get("/all-stations", verifyJWT, sendStations);
 
 export default router;