diff --git a/server/routes/api/attachments/attachments.ts b/server/routes/api/attachments/attachments.ts
index 13378d22d..a908c0b58 100644
--- a/server/routes/api/attachments/attachments.ts
+++ b/server/routes/api/attachments/attachments.ts
@@ -5,6 +5,7 @@ import { bytesToHumanReadable } from "@shared/utils/files";
 import { AttachmentValidation } from "@shared/validations";
 import { AuthorizationError, ValidationError } from "@server/errors";
 import auth from "@server/middlewares/authentication";
+import { rateLimiter } from "@server/middlewares/rateLimiter";
 import { transaction } from "@server/middlewares/transaction";
 import validate from "@server/middlewares/validate";
 import { Attachment, Document, Event } from "@server/models";
@@ -12,6 +13,7 @@ import AttachmentHelper from "@server/models/helpers/AttachmentHelper";
 import { authorize } from "@server/policies";
 import { presentAttachment } from "@server/presenters";
 import { APIContext } from "@server/types";
+import { RateLimiterStrategy } from "@server/utils/RateLimiter";
 import { getPresignedPost, publicS3Endpoint } from "@server/utils/s3";
 import { assertIn } from "@server/validation";
 import * as T from "./schema";
@@ -20,6 +22,7 @@ const router = new Router();
 
 router.post(
   "attachments.create",
+  rateLimiter(RateLimiterStrategy.TenPerMinute),
   auth(),
   validate(T.AttachmentsCreateSchema),
   transaction(),
diff --git a/server/routes/api/collections.ts b/server/routes/api/collections.ts
index 7c23ed796..861ebf38c 100644
--- a/server/routes/api/collections.ts
+++ b/server/routes/api/collections.ts
@@ -150,8 +150,8 @@ router.post("collections.info", auth(), async (ctx: APIContext) => {
 
 router.post(
   "collections.import",
-  auth(),
   rateLimiter(RateLimiterStrategy.TenPerHour),
+  auth(),
   async (ctx: APIContext) => {
     const {
       attachmentId,
@@ -549,8 +549,8 @@ router.post(
 
 router.post(
   "collections.export",
-  auth(),
   rateLimiter(RateLimiterStrategy.TenPerHour),
+  auth(),
   async (ctx: APIContext) => {
     const { id } = ctx.request.body;
     const { format = FileOperationFormat.MarkdownZip } = ctx.request.body;
@@ -589,8 +589,8 @@ router.post(
 
 router.post(
   "collections.export_all",
-  auth(),
   rateLimiter(RateLimiterStrategy.FivePerHour),
+  auth(),
   async (ctx: APIContext) => {
     const { format = FileOperationFormat.MarkdownZip } = ctx.request.body;
     const { user } = ctx.state.auth;
diff --git a/server/routes/api/comments/comments.ts b/server/routes/api/comments/comments.ts
index c62168cc0..30793e2a2 100644
--- a/server/routes/api/comments/comments.ts
+++ b/server/routes/api/comments/comments.ts
@@ -4,12 +4,14 @@ import commentCreator from "@server/commands/commentCreator";
 import commentDestroyer from "@server/commands/commentDestroyer";
 import commentUpdater from "@server/commands/commentUpdater";
 import auth from "@server/middlewares/authentication";
+import { rateLimiter } from "@server/middlewares/rateLimiter";
 import { transaction } from "@server/middlewares/transaction";
 import validate from "@server/middlewares/validate";
 import { Document, Comment } from "@server/models";
 import { authorize } from "@server/policies";
 import { presentComment, presentPolicies } from "@server/presenters";
 import { APIContext } from "@server/types";
+import { RateLimiterStrategy } from "@server/utils/RateLimiter";
 import pagination from "../middlewares/pagination";
 import * as T from "./schema";
 
@@ -17,6 +19,7 @@ const router = new Router();
 
 router.post(
   "comments.create",
+  rateLimiter(RateLimiterStrategy.TenPerMinute),
   auth(),
   validate(T.CommentsCreateSchema),
   transaction(),
diff --git a/server/routes/api/groups/groups.ts b/server/routes/api/groups/groups.ts
index 7bfb13bb3..a2114d85f 100644
--- a/server/routes/api/groups/groups.ts
+++ b/server/routes/api/groups/groups.ts
@@ -2,6 +2,7 @@ import Router from "koa-router";
 import { Op } from "sequelize";
 import { MAX_AVATAR_DISPLAY } from "@shared/constants";
 import auth from "@server/middlewares/authentication";
+import { rateLimiter } from "@server/middlewares/rateLimiter";
 import validate from "@server/middlewares/validate";
 import { User, Event, Group, GroupUser } from "@server/models";
 import { authorize } from "@server/policies";
@@ -12,6 +13,7 @@ import {
   presentGroupMembership,
 } from "@server/presenters";
 import { APIContext } from "@server/types";
+import { RateLimiterStrategy } from "@server/utils/RateLimiter";
 import pagination from "../middlewares/pagination";
 import * as T from "./schema";
 
@@ -75,6 +77,7 @@ router.post(
 
 router.post(
   "groups.create",
+  rateLimiter(RateLimiterStrategy.TenPerHour),
   auth(),
   validate(T.GroupsCreateSchema),
   async (ctx: APIContext<T.GroupsCreateReq>) => {
diff --git a/server/routes/api/teams/teams.ts b/server/routes/api/teams/teams.ts
index 667ca5f73..823fe9ea8 100644
--- a/server/routes/api/teams/teams.ts
+++ b/server/routes/api/teams/teams.ts
@@ -17,8 +17,8 @@ const router = new Router();
 
 router.post(
   "team.update",
-  auth(),
   rateLimiter(RateLimiterStrategy.TenPerHour),
+  auth(),
   validate(T.TeamsUpdateSchema),
   async (ctx: APIContext<T.TeamsUpdateSchemaReq>) => {
     const { user } = ctx.state.auth;
@@ -43,8 +43,8 @@ router.post(
 
 router.post(
   "teams.create",
-  auth(),
   rateLimiter(RateLimiterStrategy.FivePerHour),
+  auth(),
   async (ctx: APIContext) => {
     const { user } = ctx.state.auth;
     const { name } = ctx.request.body;
diff --git a/server/routes/api/users/users.ts b/server/routes/api/users/users.ts
index 5627215b0..0884034d5 100644
--- a/server/routes/api/users/users.ts
+++ b/server/routes/api/users/users.ts
@@ -348,8 +348,8 @@ router.post("users.activate", auth(), async (ctx: APIContext) => {
 
 router.post(
   "users.invite",
-  auth(),
   rateLimiter(RateLimiterStrategy.TenPerHour),
+  auth(),
   async (ctx: APIContext) => {
     const { invites } = ctx.request.body;
     assertArray(invites, "invites must be an array");
@@ -420,8 +420,8 @@ router.post(
 
 router.post(
   "users.requestDelete",
-  auth(),
   rateLimiter(RateLimiterStrategy.FivePerHour),
+  auth(),
   async (ctx: APIContext) => {
     const { user } = ctx.state.auth;
     authorize(user, "delete", user);
@@ -441,8 +441,8 @@ router.post(
 
 router.post(
   "users.delete",
-  auth(),
   rateLimiter(RateLimiterStrategy.TenPerHour),
+  auth(),
   async (ctx: APIContext) => {
     const { id, code = "" } = ctx.request.body;
     const actor = ctx.state.auth.user;
diff --git a/server/routes/api/views/views.ts b/server/routes/api/views/views.ts
index 8a4a15f24..abf6e2ec1 100644
--- a/server/routes/api/views/views.ts
+++ b/server/routes/api/views/views.ts
@@ -33,8 +33,8 @@ router.post(
 
 router.post(
   "views.create",
-  auth(),
   rateLimiter(RateLimiterStrategy.OneThousandPerHour),
+  auth(),
   validate(T.ViewsCreateSchema),
   async (ctx: APIContext<T.ViewsCreateReq>) => {
     const { documentId } = ctx.input.body;