diff --git a/backend/internal/config/config.go b/backend/internal/config/config.go
index 262837f..a142904 100644
--- a/backend/internal/config/config.go
+++ b/backend/internal/config/config.go
@@ -53,6 +53,12 @@ func Load() *Config {
 		baseDomain = "aggios.app"
 	}
 
+	// Rate limit: more lenient in dev, strict in prod
+	maxAttempts := 30
+	if env == "production" {
+		maxAttempts = 5
+	}
+
 	return &Config{
 		Server: ServerConfig{
 			Port: getEnvOrDefault("SERVER_PORT", "8080"),
@@ -81,7 +87,7 @@ func Load() *Config {
 				"https://dash.aggios.app",
 				"https://www.aggios.app",
 			},
-			MaxAttemptsPerMin: 5,
+			MaxAttemptsPerMin: maxAttempts,
 			PasswordMinLength: 8,
 		},
 	}