diff --git a/internal/auth/oidc.go b/internal/auth/oidc.go
index 7f9d4ed..e340781 100644
--- a/internal/auth/oidc.go
+++ b/internal/auth/oidc.go
@@ -18,6 +18,7 @@ import (
 	"github.com/yusing/go-proxy/internal/net/gphttp"
 	"github.com/yusing/go-proxy/internal/utils"
 	"golang.org/x/oauth2"
+	"golang.org/x/time/rate"
 )
 
 type (
@@ -162,6 +163,8 @@ func (auth *OIDCProvider) HandleAuth(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+var rateLimit = rate.NewLimiter(rate.Every(time.Second), 1)
+
 func (auth *OIDCProvider) LoginHandler(w http.ResponseWriter, r *http.Request) {
 	// check for session token
 	sessionToken, err := r.Cookie(CookieOauthSessionToken)
@@ -182,6 +185,11 @@ func (auth *OIDCProvider) LoginHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if !rateLimit.Allow() {
+		http.Error(w, "auth rate limit exceeded", http.StatusTooManyRequests)
+		return
+	}
+
 	state := generateState()
 	SetTokenCookie(w, r, CookieOauthState, state, 300*time.Second)
 	// redirect user to Idp