statamic · duncanmcclean · Apr 27, 2026 · Apr 20, 2026
diff --git a/content/collections/pages/forms.md b/content/collections/pages/forms.md
@@ -585,6 +585,27 @@ You'll also need to set your ajax library's `X-Requested-With` header to `XMLHtt
 
 The URL endpoint to send the request to is `/!/forms/{form-handle}`. You can configure the action route prefix which defaults to `!` in `config/statamic/routes.php`.
 
+## Rate limiting
+
+Form submissions are rate limited by IP address to help protect against abuse. By default, the `statamic.forms` limiter allows 10 submissions per minute across all forms.
+
+You can customize the limit by redefining the named rate limiter in your `AppServiceProvider`'s `boot` method:
+
+```php
+use Illuminate\Cache\RateLimiting\Limit;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\RateLimiter;
+
+public function boot()
+{
+    RateLimiter::for('statamic.forms', function (Request $request) {
+        return Limit::perMinute(20)->by($request->ip());
+    });
+}
+```
+
+Consult the [Laravel documentation](https://laravel.com/docs/13.x/routing#rate-limiting) to learn more about defining rate limiters.
+
 ## Caching
 
 If you are static caching the URL containing a form, return responses like 'success' and 'errors' will not be available after submitting unless you [exclude this page from caching](/static-caching#excluding-pages) or wrap the form in {{ nocache }} tags.

diff --git a/content/collections/pages/users.md b/content/collections/pages/users.md
@@ -302,4 +302,34 @@ Click **Create Passkey** and follow the prompts to complete setup. Once a passke
     <img src="/img/login-with-passkey-option-dark.webp" alt="Passkey button on sign in page" class="u-hide-in-light-mode">
 </figure>
 
-Passkey behaviour, including whether password logins are still allowed for users with passkeys and whether “remember me” applies when logging in with a passkey, can be configured in `config/statamic/webauthn.php`.
+Passkey behaviour, including whether password logins are still allowed for users with passkeys and whether “remember me” applies when logging in with a passkey, can be configured in `config/statamic/webauthn.php`.
+
+## Rate limiting
+
+Statamic's authentication and passkey endpoints are rate limited by IP address to help protect against brute force attacks. The defaults apply to both the front-end and Control Panel:
+
+| Limiter | Default | Routes |
+| --- | --- | --- |
+| `statamic.auth` | 4 per minute | Front-end login, register, password email, password reset |
+| `statamic.cp.auth` | Inherits `statamic.auth` | Control Panel login, password email, password reset |
+| `statamic.passkeys` | 30 per minute | Front-end passkey authentication |
+| `statamic.cp.passkeys` | Inherits `statamic.passkeys` | Control Panel passkey authentication |
+
+You can customize any of these limits by redefining the named rate limiter in your `AppServiceProvider`'s `boot` method:
+
+```php
+use Illuminate\Cache\RateLimiting\Limit;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\RateLimiter;
+
+public function boot()
+{
+    RateLimiter::for('statamic.auth', function (Request $request) {
+        return Limit::perMinute(10)->by($request->ip());
+    });
+}
+```
+
+Overriding `statamic.auth` will affect both the front-end and Control Panel buckets unless you also define a separate `statamic.cp.auth` limiter. The same inheritance applies to `statamic.passkeys` and `statamic.cp.passkeys`.
+
+Consult the [Laravel documentation](https://laravel.com/docs/13.x/routing#rate-limiting) to learn more about defining rate limiters.