diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php
index 131c132..632bcac 100644
--- a/app/Providers/AppServiceProvider.php
+++ b/app/Providers/AppServiceProvider.php
@@ -17,7 +17,10 @@
 use App\Policies\SecretAttachmentPolicy;
 use App\Policies\SecretPolicy;
 use App\Policies\SecretSharePolicy;
+use Illuminate\Cache\RateLimiting\Limit;
+use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Gate;
+use Illuminate\Support\Facades\RateLimiter;
 use Illuminate\Support\ServiceProvider;
 use Spatie\Permission\Models\Role;
 
@@ -39,6 +42,16 @@ public function boot(): void
         Person::observe(PersonObserver::class);
         Secret::observe(SecretObserver::class);
 
+        // Define rate limiters (using cache, not Redis)
+        RateLimiter::for('api', function (Request $request) {
+            return Limit::perMinute(60)->by($request->user()?->id ?: $request->ip());
+        });
+
+        // Password reset rate limiter (5 per 60 minutes by IP)
+        RateLimiter::for('password-reset', function (Request $request) {
+            return Limit::perMinutes(60, 5)->by($request->ip());
+        });
+
         // Register policy for Spatie Role model
         Gate::policy(Role::class, RoleManagementPolicy::class);
 
diff --git a/bootstrap/app.php b/bootstrap/app.php
index 0bd6aa2..e0f5cb1 100644
--- a/bootstrap/app.php
+++ b/bootstrap/app.php
@@ -3,12 +3,9 @@
 // SPDX-FileCopyrightText: 2025 SecPal Contributors
 // SPDX-License-Identifier: AGPL-3.0-or-later
 
-use Illuminate\Cache\RateLimiting\Limit;
 use Illuminate\Foundation\Application;
 use Illuminate\Foundation\Configuration\Exceptions;
 use Illuminate\Foundation\Configuration\Middleware;
-use Illuminate\Http\Request;
-use Illuminate\Support\Facades\RateLimiter;
 
 return Application::configure(basePath: dirname(__DIR__))
     ->withRouting(
@@ -29,16 +26,6 @@
         $middleware->api(append: [
             \App\Http\Middleware\SetLocaleFromHeader::class,
         ]);
-
-        // Define rate limiters (using cache, not Redis)
-        RateLimiter::for('api', function (Request $request) {
-            return Limit::perMinute(60)->by($request->user()?->id ?: $request->ip());
-        });
-
-        // Password reset rate limiter (5 per 60 minutes by IP)
-        RateLimiter::for('password-reset', function (Request $request) {
-            return Limit::perMinutes(60, 5)->by($request->ip());
-        });
     })
     ->withExceptions(function (Exceptions $exceptions): void {
         //