Skip to main content
Tutorial Free

Laravel Too Many Login Attempts: Restrict and Customize

January 16, 2019
3 min read

Tutorial last revisioned on June 11, 2025 with Laravel 12

One of the less-known Laravel features is Login throttling. By default, if user tries to log in via default Laravel login form more than 5 times per minute, they will get different error message.

too many logins

Yes, the error isn't just “wrong password”. It's “Too many login attempts. Please try again in X seconds.”

By default, that X is 60, so Laravel restricts login attempts for one minute. But you can customize it.

Laravel Breeze & New Starter Kits

Breeze and the new starter kits React and Vue versions tries to authenticate the user in the App/Http/Requests/Auth/LoginRequest.php class, in the authenticate() method. In this method, there is a line that hits RateLimiter.

RateLimiter::hit($this->throttleKey());

If you check https://github.com/laravel/framework/blob/master/src/Illuminate/Cache/RateLimiter.php file where hit method is located, you will see that it accepts the second parameter decaySeconds which defaults to 60 seconds. So to change that time, you just need to pass your desired time as the second parameter in LoginRequest.php file. For example, if you want to limit it for 120s, it would be.

RateLimiter::hit($this->throttleKey(), 120);

That's all about the time limit, but what about limiting how many attempts? Well, it's also very easy. If we look at the same if check line in the LoginRequest.php:

if (! RateLimiter::tooManyAttempts($this->throttleKey(), 5)) {

That number 5 is the count of how many attempts a user can make. Just change that number to whatever you need.

Livewire kit have two options:

  1. Livewire components
  2. Class-based Volt components

For the Livewire component authentication component is app/Livewire/Auth/Login.php. For the Volt component Blade file location is resources/views/livewire/auth/login.blade.php. The same methods are used in these two files to rate limit the authentication. Change limits to your needs.

Laravel Jetstream

Jetstream uses Laravel Fortify for handling authentication. If you open app\Providers\FortifyServiceProvider.php, in the boot method you should immediately see RateLimiter for login. Specifically this line:

return Limit::perMinute(5)->by($email.$request->ip());

By default, as in other starter kits, it's 5 times per minute, which you can change here. If you want to change the time, Limit has more methods than perMinute. You can find them and check what parameters they take in the official laravel GitHub repository here https://github.com/laravel/framework/blob/master/src/Illuminate/Cache/RateLimiting/Limit.php.

Enjoyed This Tutorial?

Get access to all premium tutorials, video and text courses, and exclusive Laravel resources. Join our community of 10,000+ developers.

Join Premium - $29/month View All Plans

Recent Courses

Comments & Discussion

Z
zoki ✓ Link copied!

How to rate limit user registrations (not logins) in Jetstream? This does not seem to work:

RateLimiter::for('register', function (Request $request) { return Limit::perMinute(1)->by($request->email.$request->ip()); });

Thanks.

We'd Love Your Feedback

Tell us what you like or what we can improve

Feel free to share anything you like or dislike about this page or the platform in general.