diff --git a/src/middleware/rateLimit.js b/src/middleware/rateLimit.js
index 1ec7ca4..c45c927 100644
--- a/src/middleware/rateLimit.js
+++ b/src/middleware/rateLimit.js
@@ -28,9 +28,13 @@ setInterval(() => {
 
 /**
  * Get rate limit key from request
+ * Note: This runs BEFORE requireAuth, so we must read directly from headers
  */
 function getKey(req, limitType) {
-  const identifier = req.token || req.ip || 'anonymous';
+  // Extract token directly from header since req.token isn't set yet
+  const auth = req.headers.authorization;
+  const token = auth && auth.startsWith('Bearer ') ? auth.slice(7) : null;
+  const identifier = token || req.ip || 'anonymous';
   return `rl:${limitType}:${identifier}`;
 }