diff --git a/backend/app/api/v1/auth/auth.py b/backend/app/api/v1/auth/auth.py
index 6acf4d35..df945978 100644
--- a/backend/app/api/v1/auth/auth.py
+++ b/backend/app/api/v1/auth/auth.py
@@ -2,6 +2,7 @@
 # -*- coding: utf-8 -*-
 from fastapi import APIRouter, Depends, Request
 from fastapi.security import OAuth2PasswordRequestForm
+from fastapi_limiter.depends import RateLimiter
 
 from backend.app.common.jwt import DependsUser, get_token, jwt_decode, CurrentJwtAuth
 from backend.app.common.response.response_schema import response_base
@@ -18,7 +19,12 @@ async def swagger_user_login(form_data: OAuth2PasswordRequestForm = Depends()) -
     return SwaggerToken(access_token=token, user=user)
 
 
-@router.post('/login', summary='用户登录', description='json 格式登录, 仅支持在第三方api工具调试接口, 例如: postman')
+@router.post(
+    '/login',
+    summary='用户登录',
+    description='json 格式登录, 仅支持在第三方api工具调试接口, 例如: postman',
+    dependencies=[Depends(RateLimiter(times=5, minutes=15))],
+)
 async def user_login(obj: Auth):
     access_token, refresh_token, access_expire, refresh_expire, user = await UserService.login(obj)
     data = LoginToken(
diff --git a/backend/app/common/casbin_rbac.py b/backend/app/common/casbin_rbac.py
index ef0bbb42..e6bd41e2 100644
--- a/backend/app/common/casbin_rbac.py
+++ b/backend/app/common/casbin_rbac.py
@@ -13,7 +13,6 @@
 
 
 class RBAC:
-
     @staticmethod
     async def get_casbin_enforcer() -> casbin.Enforcer:
         """
diff --git a/backend/app/core/registrar.py b/backend/app/core/registrar.py
index 0c9bdd9e..15d35d6b 100644
--- a/backend/app/core/registrar.py
+++ b/backend/app/core/registrar.py
@@ -5,6 +5,7 @@
 from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.middleware.gzip import GZipMiddleware
+from fastapi_limiter import FastAPILimiter
 from fastapi_pagination import add_pagination
 
 from backend.app.api.routers import v1
@@ -27,15 +28,19 @@ async def register_init(app: FastAPI):
     """
     # 创建数据库表
     await create_table()
-    # 连接redis
+    # 连接 redis
     await redis_client.open()
+    # 初始化 limiter
+    await FastAPILimiter.init(redis_client, prefix='fba_limiter')
     # 启动定时任务
     scheduler.start()
 
     yield
 
-    # 关闭redis连接
+    # 关闭 redis 连接
     await redis_client.close()
+    # 关闭 limiter
+    await FastAPILimiter.close()
     # 关闭定时任务
     scheduler.shutdown()
 
diff --git a/requirements.txt b/requirements.txt
index 47544a9d..389e031a 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -3,15 +3,16 @@ aioredis==2.0.1
 aiosmtplib==1.1.6
 alembic==1.7.4
 APScheduler==3.8.1
+asynccasbin==1.1.8
 asyncmy==0.2.5
 bcrypt==3.2.2
-asynccasbin==1.1.8
 casbin_async_sqlalchemy_adapter==1.1.0
 cryptography==39.0.1
 email-validator==1.1.3
 Faker==9.7.1
 fast-captcha==0.1.3
 fastapi==0.95.2
+fastapi-limiter==0.1.5
 fastapi-pagination==0.12.1
 gunicorn==20.1.0
 httpx==0.23.0