diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php
index 4842ef4f6..bebb855fb 100644
--- a/app/Providers/AppServiceProvider.php
+++ b/app/Providers/AppServiceProvider.php
@@ -92,6 +92,10 @@ class AppServiceProvider extends ServiceProvider
             return Limit::perDay(10)->by($request->ip());
         });
 
+        RateLimiter::for('app-code-verify', function (Request $request) {
+            return Limit::perHour(10)->by($request->ip());
+        });
+
         // Model::preventLazyLoading(true);
     }
 
diff --git a/routes/api.php b/routes/api.php
index f3d4b57bb..f520f2ccb 100644
--- a/routes/api.php
+++ b/routes/api.php
@@ -17,6 +17,7 @@ Route::get('.well-known/host-meta', 'FederationController@hostMeta')->name('well
 Route::redirect('.well-known/change-password', '/settings/password');
 Route::get('api/nodeinfo/2.0.json', 'FederationController@nodeinfo');
 Route::get('api/service/health-check', 'HealthCheckController@get');
+Route::post('api/auth/app-code-verify', 'AppRegisterController@verifyCode')->middleware('throttle:app-code-verify');
 
 Route::prefix('api/v0/groups')->middleware($middleware)->group(function () {
     Route::get('config', 'Groups\GroupsApiController@getConfig');
diff --git a/routes/web.php b/routes/web.php
index 29e67a440..b4eaee810 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -141,7 +141,6 @@ Route::domain(config('pixelfed.domain.app'))->middleware(['validemail', 'twofact
 
     Route::get('/i/app-email-verify', 'AppRegisterController@index');
     Route::post('/i/app-email-verify', 'AppRegisterController@store')->middleware('throttle:app-signup');
-    Route::post('/i/app-code-verify', 'AppRegisterController@verifyCode');
 
     Route::group(['prefix' => 'i'], function () {
         Route::redirect('/', '/');