diff --git a/apps/dashboard-api/src/routes/auth.js b/apps/dashboard-api/src/routes/auth.js
index fa427382..f664a56e 100644
--- a/apps/dashboard-api/src/routes/auth.js
+++ b/apps/dashboard-api/src/routes/auth.js
@@ -41,6 +41,14 @@ router.post('/reset-password', authLimiter, resetPassword);
 router.get('/github/start', startGithubAuth);
 router.get('/github/callback', handleGithubCallback);
 
+// OTP and password-reset routes must use authLimiter (10 req/15 min) because
+// they are credential-adjacent endpoints. Placing them before router.use(dashboardLimiter)
+// ensures only authLimiter applies; they never fall through to the 1000 req/15 min bucket.
+router.post('/send-otp', authLimiter, sendOtp);
+router.post('/verify-otp', authLimiter, verifyOtp);
+router.post('/forgot-password', authLimiter, forgotPassword);
+router.post('/reset-password', authLimiter, resetPassword);
+
 router.use(dashboardLimiter);
 
 router.put('/change-password', authorization, changePassword);