diff --git a/server/index.ts b/server/index.ts
index 9f77277d5..9d9f33819 100644
--- a/server/index.ts
+++ b/server/index.ts
@@ -17,6 +17,7 @@ import Logger from "./logging/Logger";
 import services from "./services";
 import { getArg } from "./utils/args";
 import { getSSLOptions } from "./utils/ssl";
+import { defaultRateLimiter } from "@server/middlewares/rateLimiter";
 import {
   checkEnv,
   checkMigrations,
@@ -84,6 +85,9 @@ async function start(id: number, disconnect: () => void) {
   // catch errors in one place, automatically set status and response headers
   onerror(app);
 
+  // Apply default rate limit to all routes
+  app.use(defaultRateLimiter());
+
   // install health check endpoint for all services
   router.get("/_health", (ctx) => (ctx.body = "OK"));
   app.use(router.routes());
diff --git a/server/routes/api/index.ts b/server/routes/api/index.ts
index a34e98fa8..69eabb8bb 100644
--- a/server/routes/api/index.ts
+++ b/server/routes/api/index.ts
@@ -4,7 +4,6 @@ import Router from "koa-router";
 import userAgent, { UserAgentContext } from "koa-useragent";
 import env from "@server/env";
 import { NotFoundError } from "@server/errors";
-import { defaultRateLimiter } from "@server/middlewares/rateLimiter";
 import { AuthenticatedState } from "@server/types";
 import apiKeys from "./apiKeys";
 import attachments from "./attachments";
@@ -89,8 +88,6 @@ router.get("*", (ctx) => {
   ctx.throw(NotFoundError("Endpoint not found"));
 });
 
-api.use(defaultRateLimiter());
-
 // Router is embedded in a Koa application wrapper, because koa-router does not
 // allow middleware to catch any routes which were not explicitly defined.
 api.use(router.routes());
diff --git a/server/routes/auth/index.ts b/server/routes/auth/index.ts
index a0860f8e7..b12392d6c 100644
--- a/server/routes/auth/index.ts
+++ b/server/routes/auth/index.ts
@@ -5,7 +5,6 @@ import bodyParser from "koa-body";
 import Router from "koa-router";
 import { AuthenticationError } from "@server/errors";
 import auth from "@server/middlewares/authentication";
-import { defaultRateLimiter } from "@server/middlewares/rateLimiter";
 import { Collection, Team, View } from "@server/models";
 import providers from "./providers";
 
@@ -13,7 +12,6 @@ const app = new Koa();
 const router = new Router();
 
 router.use(passport.initialize());
-router.use(defaultRateLimiter());
 
 // dynamically load available authentication provider routes
 providers.forEach((provider) => {